Open Road Market and Place Market Exploits

I have been conducting tests on a few markets this week to try and exploit simple holes in their security that have been overlooked. This has allowed me to achieve quite a worrying result, with the exploits being so simple, they could be used by Law Enforcement to de-anonymize users quite effectively in theory or they could be used by the wrong person and money could be stolen.

I have previously publicly posted about my claims in regards to Place Market, which was in discussion to be added to the Super List. I am still awaiting a reply from them since providing proof, but they don't seem to have been active.

I have also successfully executed similar attacks on "Open Road Market", and I am in the process of bringing this to their attention right now. This post is just to serve as a warning to the community right now and I will not be providing public proof as it may help others to discover the exploits and use them illicitly, however the mods have verified my findings independently.

Exploits found to work on both markets:

I hope following my contact with the market admins so these can be fixed urgently and would appreciate a bug bounty to be paid.

Screenshots for proof:

http://ln6vyadk4hv3dnyt.onion/i/1bhmo3bqb.jpg

http://ln6vyadk4hv3dnyt.onion/i/1bhmo2lpu.jpg

http://ln6vyadk4hv3dnyt.onion/i/1bhmo26qf.jpg


Comments


[1 Points] wombat2combat:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The claims made by /u/HugBunter that Place Market and The Open Road 
have the following flaws:

Duplicated main Admin account

Redirect any user to any URL (Could be a phishing URL or even clearnet)

Prompt users with a fake authentication page within the same onion address, asking them to confirm their withdraw pin and in turn sending all of their on-site wallet funds to an address of my choosing.

Send authentic admin messages to users

were confirmed by us mods. The screen shots give you a good example 
of how authentic the messages can look.

The discovered issues are not something exotic that nobody could 
have imagined checking their code for. Sanitizing user input and 
reserving market support-like account names are two of the very basic 
things that a market should do.
Especially given the critical environment we all operate in.

We will therefore remove The Open Road from the superlist for now and 
not list Place Market for now either. 

The markets admins are invited to contact us through the mod mail.
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJZMpJgXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQyRThEREY2QTcwQjBEM0JFQzVDNUJCMzRG
OUZGQTk4N0M4RDc2OEQ3AAoJEPn/qYfI12jXc2EQAK2XzHoXKYUD+mMRIOb64TNB
jjrnJUzIt5DUP5paQK/pDd60eTiMTy451a3RpVvjUv59/1Ug7XqVaQpE3Fyu6MNF
sxG7XgyIvNyf+RLtndOBmcaz45zq1+Wy+uscK5Ywq7Wictlwg+uplltNUtV7+eys
zrJBpyrfg4Zb4kewgOMFPMolQMNN1L3pTVkgehX3BQazrkbREzHsc6xbUw2zUXKC
Qgy5mtkorJZZqXwB6do0DN6T/0v6CCAbAuvRSphhzQ7urpLjhA53dDqXbB0eW4gD
Dvkomx7MTi0AQyCdlxGN820C86t8fgah+GLObTUSgxNbm8Rolic5ZV5pDZIj5SlK
vjTcDbCStAQfVL9UrDMOGqG7BP7LHCuGkSi13lVKYWIKyN/pLAw05g8BdtM991Ms
LFeqZ00lRNoUSLNFXSuIZnUpeBgGGDIoBkL47R+J+UqS2uaoOoChSnNj6ozc/fl0
i1o5yGKoUEKrGDp4IuOihmEaItBExluhwPNXqAnDby1zLEhOIXLwipun5Fi2fEyV
dK9xDtWE/SfPKjGxy6HvaOYoAwFN9OL+M5jVYqfDRfVJo0QGqCcGY7GnfzdISdJM
k/KUSzVfeZRWA9MHTdoj2JF3iLxQ/QIs9rZZZfnvys+oW6QRe4xLLR5G5S3r0+ov
q/saCZaeEGQQwD4hAxzl
=PxCP
-----END PGP SIGNATURE-----


[6 Points] HugBunter:

Paging: /u/TheOpenRoadTeam /u/PlaceMarketOfficial


[5 Points] ptbmnnn:

Damn nigga


[2 Points] None:

[deleted]


[1 Points] None:

[removed]


[0 Points] None:

[deleted]