Sourcery's Response to Security Concerns

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

We have an official statement regarding the security issues discovered.  
http://sourcel3zg2kzu4k.onion/security-response.php

Pasted here as well:

I wanted to take time to address the issues that were unconvered by a few 
pen testers. We acknowledge that we had a slip and we have corrected the 
issues uncovered. The most devastating was the PM leak and I greatly apologize 
to each and every one of you. One of our premises when opening the market was 
that we would operate differently - we wouldn't hide or try to cover up problems 
but we would be open and transparent about them. Some points I do want to make:

No contractual data was exposed. There was no compromise in the financial part of Sourcery.

Your wallets were never compromised. Also, since we don't keep coin on the market, your coin was never in danger.

No accounts were compromised. We do encrypt passwords and the mneumonic in our database (not just md5 hash, full encryption).


How did this happen? We had a deployment that broke a section of the authorization 
logic. It wasn't fully broken, but what it did was on certain pages, such as the 
PMs, the bug allowed the page to load, then it redirected to a default page. On 
a browser, this wasn't noticeable at all because the redirect happened quickly. But 
running it in curl or any other automated tool, the tool would have picked up on the page
 load, then the redirect request. We know we have an uphill battle to regain your trust,
 but I hope sincerely that we can. We are acknowledging our shortcomings and working so
 that this doesn't happen in the future.

One other point I wanted to bring up was we saw some speculation on our image uploader 
and whether or not malicious code could be injected. We will have pen testers to verify
 what we have found to ensure this is not the case but we do image analysis when you 
upload a photo. Many of you actually have run into problems b/c of that analysis. When 
you upload an image, we analyze that image to make sure its actually an image. We don't
 just look at the file extension. You can try it out yourself. Go upload a piece of code,
 name it something.jpg and try to upload it. It will be rejected. Also, along these 
lines, someone mentioned that the image fetching was taking a path to a directory and
 loading the file. This is not the case. The images actually aren't accessible via the
 directory. This is why it requires going through the "loader" to fetch images. Your 
images are not saved in the "images" directory of the web application. This is 
absolutely not the case. If you ever noticed in the code, to fetch an image, the 
URL is something like

http://sourcel3zg2kzu4k.onion/ad-images.php?photoName=blah.jpg

The photo is not stored as "blah.jpg". This is simply a key to look up your photo 
and fetch it. You will not find a file called "blah.jpg" on our server. We generate a
 lookup name and this is what is used to fetch the image. You cannot fetch your image 
by any URL in the address bar because the image simply is not available in the web 
app directory. We do this on purpose for security reasons. Again, we will make sure 
our pen testers confirm this for us but there was a reason we did things this way. In
 short, we not only analyze your upload to make sure its actually an image, we store 
it in such a way that its not accessible directly on the URL.

What are we doing?

We are going to slow down our deployment process and ensure that even little 
changes undergo rigourous testing before release.

We have hired a new pen tester who will be hitting our platform and providing a 
report. We are in the works with hiring an additional pen tester and perhaps another 
person to do code auditing (need to see the logistics on this).

Obviously we are also doing additional code audits and testing on our own along with 
the outside consultants.


We have no excuse for what happened and we are quite embarassed. We want to work on 
the issues and harden everything to ensure that everyone is protected. We will not 
have this sort of slip again and we hope that we can regain your trust in Sourcery 
and we will work diligently to ensure you are happy here. 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZgporAAoJEI6Gz4/YbLRHBTQQAK8ia+qYv9X5WdxWf8uj75W6
iGTW13V9sN+V3qr54mZ91SpTBKbJBPChGsCG6kRvgOwwQH1KxSBLb03Ke2XhVkB0
pnlBzx4U6DuO9TY1VWU/uKtyuB25Ygfp9Gg2NZgd1/y2lK0XHB2o9ocf2uenHDkn
GFqsjTCkfufWh9g/a0SniIst4tEBx44d1Wsl6Q4G9PxSrjElBF/UaX6tnoaSFA3l
CDfJO4wZ+OwIrBzAT8oaVb1tgmtMXw4GB5Cu04k7QXv6/zDQLigztqzyyOVnrB3o
CzFjCQPrcRHh9pxhQ9YWKUXWtlmRNnPWr1LOgE5JKAWitHv2cX5roy5ci1asqsZz
+4kc9WgbqPfWcJ1Ng8M0GBQRCgaPYkAWp/Qj+gn8GPr3PS1jKdI7xuFy1UNe9QOw
SIBYnpPLDlGN9tyL4Lxi8eKrBNlT1MNNGYwZuMDgdZtLUZkHiiKNLod8ktnGkolq
nx1Skuu4fi7svvSjkcfYLxfTJIXQsWk73mB9+AROv9Z36bIvE7V4hWJclBa2tHvD
on2P5VI1mUR7Z+s2VvIBW+KRhRlhO9U0/RmRncr/f2W3wFQ3W1oXS3ms9U0cXqe9
j2G6lqzlTedv4j1JWN8iCHTPQZ8xj72dGONn3Cc8Qf73oOcCKfhoA8+gldoE1EfX
+5L/Yelk4JB3liidm7d/
=W6/3
-----END PGP SIGNATURE-----


Comments


[27 Points] None:

[deleted]


[3 Points] sharpshooter789:

How are you paying these pent testers and code auditors? Any half decent pent tester will charge a considerable fee. Your site does not have many vendors so the market isn't exactly flush with btc.


[2 Points] drivebytransparency:

No accounts were compromised. We do encrypt passwords and the mneumonic in our database (not just md5 hash, full encryption).

Hmmm. Given previous mistakes made, I find it incredibly hard to give you the benefit of the doubt that you know what you're doing, that you're capable of running a market, and it's not just an issue with how you're expressing yourself.

You "encrypt" passwords, and not just "hash" passwords, seems to suggest you know the difference between what encryption and hashing is for, but fail to understand why you want to hash passwords, and NOT ENCRYPT THEM. (too long; didn't research - encryption is reversible, hashing is not).

You mentioned md5 for hashing passwords. Assuming you mean md5(password), this is terrible, as it is fast, and you can pre-compute the passwords for a lookup later on (or just search in your favorite engine. Take fc5e038d38a57032085441e7fe7010b0 for example).

Giving you the benefit of the doubt meaning you used a salted md5 password hashing technique still does not inspire confidence in me, as salted md5 password hashing is relatively ancient in password hashing techniques. Look at the state of the art at https://password-hashing.com.


[0 Points] AutoModerator:

To format PGP encrypted messages, signed messages or keys properly on reddit please follow these instructions.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.


[-1 Points] Kilo_Of_Kittymine:

even though its not tuesday, what if this market was LE from inception, like started by and ran by LE and this ploy was just to get trust and lure in the masses, PORT TO PORT CONTROL DANIEL!