Sourcery Market Security Vulnerabilities

Took a quick look at Sourcery Market and found a bunch of vulnerabilities - including being able to read any private message. It took me longer to write these up than to find them:

https://gist.github.com/anonymous/2b9e7a9ada8ee8d508ab58c347909150

This market should be shut down asap - the admins are in way over their heads. The security and code quality is inadequate for a child's blog let alone for a darknetmarket


Comments


[58 Points] rockheeed:

The admin also let slip he is from the UK so the feds even know which part of the world to start the hunt for him.


[49 Points] konch1:

We have slipped into the age of amateur hour.


[13 Points] Polygon_Windows:

unsurprising, I've said it before; the UI looked like a first year college project.


[10 Points] ItsAllJustPretend:

/u/sourcery_market /u/hugbunter


[11 Points] JburnaDNM:

Wow. That's the worst yet. He's going to be in handcuffs by the end of the day or the sites going to be taken over and all wallets drained. Can't wait for their response. Thanks for looking out for the community.

I don't even know php or code at all and I can even see how easy it was for you to get to the private messages with that simple request. Am I right on that?


[10 Points] None:

Web dev here. I thought you were joking when you said the security wasn't enough for a child's blog, but that first vulnerability is pretty ridiculous. That's something you would probably learn in the first week of a PHP class.


[7 Points] shitisfire2:

i thought /u/hugbunter said he tested it and cant find but small glitches lol and couldn't find this, i guess it shows he knows jack shit and a fucking fake


[7 Points] Twist3dHipst3r:

Can /u/wombat2combat or /u/TheEconomist1 weigh in on this? Seems like their position on the superlist needs to be re-examined.


[7 Points] BFCDNM:

C'MON SOURCERY PUT SOME EFFORT INTO IT


[6 Points] None:

[removed]


[4 Points] FBI_CEA_DEAD_INFORMA:

As I said before anyone who is good at cyber sec / opsec should get together with me, I have certain skills in keeping server secure/tor/php/general security configuration for web service we use.

Even if not a computer person a group of us could easily make an impenetrable dnm, I have tools that cost a lot (for business and personal testing) that can automate much testing and security holes fixed.

If anyone is taking me seriously please PM and we can have a discussion, if it goes somewhere legit I can create a site showing the basic concept, suggestion box, almost like an open source market but with very intense limits on who can see the source)

There are certain vendors I would ban from there but they are small time, we could be th e next ross just have the intelligene to not get caught (dead mans switch on phone?) all hypothetical ideas pm me and we can wicker if anyone is interested


[3 Points] bhp5:

>Just pass any message ID to /message.php?messageId=51 and it will return the message to you

http://i.imgur.com/89HANHg.gif


[2 Points] Sourcery_Market:

I'm checking into this right now.


[2 Points] penguinmixer:

Nice work! I hope they give you a bug bounty for this...if they even respond.


[2 Points] elijahbaley123456789:

Whats sorcery market?


[1 Points] None:

[removed]


[1 Points] None:

[removed]


[1 Points] HardC0r3:

wasnt this hyped by the dnm mods itself?


[1 Points] Zorill:

I used to be interested in information security so I tried to teach myself but it kinda failed. But you guys that just find these vulnerabilities by staring at the source code are straight magic


[1 Points] lobb-it-away:

does anyone else wonder why on earth after the ipad at&t thing with weev, SMF's token/sessionid manipulation in the URL, AB and their API/PM leak (which iirc was pretty near the same "vulnerability") and countless other applications of the same trick seem to never sink in to some devs?

honestly, good on you OP. just really poor timing for us to be stuck with inadequacy and laziness :(


[1 Points] Inthewirelain:

Admin admits to me days ago they are not only from the UK but they are specifically English