-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
We have an official statement regarding the security issues discovered.
http://sourcel3zg2kzu4k.onion/security-response.php
Pasted here as well:
I wanted to take time to address the issues that were unconvered by a few
pen testers. We acknowledge that we had a slip and we have corrected the
issues uncovered. The most devastating was the PM leak and I greatly apologize
to each and every one of you. One of our premises when opening the market was
that we would operate differently - we wouldn't hide or try to cover up problems
but we would be open and transparent about them. Some points I do want to make:
No contractual data was exposed. There was no compromise in the financial part of Sourcery.
Your wallets were never compromised. Also, since we don't keep coin on the market, your coin was never in danger.
No accounts were compromised. We do encrypt passwords and the mneumonic in our database (not just md5 hash, full encryption).
How did this happen? We had a deployment that broke a section of the authorization
logic. It wasn't fully broken, but what it did was on certain pages, such as the
PMs, the bug allowed the page to load, then it redirected to a default page. On
a browser, this wasn't noticeable at all because the redirect happened quickly. But
running it in curl or any other automated tool, the tool would have picked up on the page
load, then the redirect request. We know we have an uphill battle to regain your trust,
but I hope sincerely that we can. We are acknowledging our shortcomings and working so
that this doesn't happen in the future.
One other point I wanted to bring up was we saw some speculation on our image uploader
and whether or not malicious code could be injected. We will have pen testers to verify
what we have found to ensure this is not the case but we do image analysis when you
upload a photo. Many of you actually have run into problems b/c of that analysis. When
you upload an image, we analyze that image to make sure its actually an image. We don't
just look at the file extension. You can try it out yourself. Go upload a piece of code,
name it something.jpg and try to upload it. It will be rejected. Also, along these
lines, someone mentioned that the image fetching was taking a path to a directory and
loading the file. This is not the case. The images actually aren't accessible via the
directory. This is why it requires going through the "loader" to fetch images. Your
images are not saved in the "images" directory of the web application. This is
absolutely not the case. If you ever noticed in the code, to fetch an image, the
URL is something like
http://sourcel3zg2kzu4k.onion/ad-images.php?photoName=blah.jpg
The photo is not stored as "blah.jpg". This is simply a key to look up your photo
and fetch it. You will not find a file called "blah.jpg" on our server. We generate a
lookup name and this is what is used to fetch the image. You cannot fetch your image
by any URL in the address bar because the image simply is not available in the web
app directory. We do this on purpose for security reasons. Again, we will make sure
our pen testers confirm this for us but there was a reason we did things this way. In
short, we not only analyze your upload to make sure its actually an image, we store
it in such a way that its not accessible directly on the URL.
What are we doing?
We are going to slow down our deployment process and ensure that even little
changes undergo rigourous testing before release.
We have hired a new pen tester who will be hitting our platform and providing a
report. We are in the works with hiring an additional pen tester and perhaps another
person to do code auditing (need to see the logistics on this).
Obviously we are also doing additional code audits and testing on our own along with
the outside consultants.
We have no excuse for what happened and we are quite embarassed. We want to work on
the issues and harden everything to ensure that everyone is protected. We will not
have this sort of slip again and we hope that we can regain your trust in Sourcery
and we will work diligently to ensure you are happy here.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZgporAAoJEI6Gz4/YbLRHBTQQAK8ia+qYv9X5WdxWf8uj75W6
iGTW13V9sN+V3qr54mZ91SpTBKbJBPChGsCG6kRvgOwwQH1KxSBLb03Ke2XhVkB0
pnlBzx4U6DuO9TY1VWU/uKtyuB25Ygfp9Gg2NZgd1/y2lK0XHB2o9ocf2uenHDkn
GFqsjTCkfufWh9g/a0SniIst4tEBx44d1Wsl6Q4G9PxSrjElBF/UaX6tnoaSFA3l
CDfJO4wZ+OwIrBzAT8oaVb1tgmtMXw4GB5Cu04k7QXv6/zDQLigztqzyyOVnrB3o
CzFjCQPrcRHh9pxhQ9YWKUXWtlmRNnPWr1LOgE5JKAWitHv2cX5roy5ci1asqsZz
+4kc9WgbqPfWcJ1Ng8M0GBQRCgaPYkAWp/Qj+gn8GPr3PS1jKdI7xuFy1UNe9QOw
SIBYnpPLDlGN9tyL4Lxi8eKrBNlT1MNNGYwZuMDgdZtLUZkHiiKNLod8ktnGkolq
nx1Skuu4fi7svvSjkcfYLxfTJIXQsWk73mB9+AROv9Z36bIvE7V4hWJclBa2tHvD
on2P5VI1mUR7Z+s2VvIBW+KRhRlhO9U0/RmRncr/f2W3wFQ3W1oXS3ms9U0cXqe9
j2G6lqzlTedv4j1JWN8iCHTPQZ8xj72dGONn3Cc8Qf73oOcCKfhoA8+gldoE1EfX
+5L/Yelk4JB3liidm7d/
=W6/3
-----END PGP SIGNATURE-----
[deleted]