EDIT /u/gramsadmin has made some changes to his site, specifically he now offers https, as such some of these risks I mention below are no longer risks, or are avoidable. I will update this post once I've had a chance to review fully.
Grams flow is a service that redirects you to your favorite market. Unfortunately it is unsafe by design because it uses unencrypted http and easily exploited.
How are you going to steal coins?
Quite simple actually:
- I run a TOR exit node.
- I alter any gramsflow http requests so they redirect to a fake market site.
- The fake market will record your username, password, and PIN when you enter it, and replace any deposit addresses with one of my addresses.
Why am I doing this?
Well if I don't do it, someone else will.
Wait, I just used it and it worked fine
Yes, unfortunately I only run one exit node. It's unlikely you'll hit my node very often, but occasionally you will.
Ah, but I can check the redirect address to see that it's valid
That's great for you - but most people won't bother. That's why they are using the redirect service.
Did you talk to the Grams admins first before doing this?
Yes. They don't think you're at any risk. See my comments on this thread: https://pay.reddit.com/r/DarkNetMarkets/comments/27m333/grams_update_grams_newest_feature_flow/
What should I do to be safe?
Never use an untrusted source for your darknet market URLs! Most sources cannot and should not be trusted! The best thing to do is write down / save the address somewhere private and always use your private copy.
[To the Grams folks: No hard feelings, I know you mean well, but I believe it's important to take security seriously.]
I think a better title would be, "[PSA] If you use [Grams]Flow I WILL ATTEMPT steal your Bitcoins via PHISHING"