Silk Road forums
Discussion => Security => Topic started by: Dread ꝥirate Roberts on April 19, 2012, 08:45 am
-
It is stop allowing special characters in user names
-luv kmf
-
Also this version of SMF has an XSS vulnerability that allows an attacker to launch arbitrary javascript on your machine if you click a specially crafted link to the site , you might want to patch that, but since I can't manage to post a hyperlink on the forum I can't craftily link to a topic inside a topic and then have javascript pop up box warn you about this ;)
too bad, would have been funny. But it wouldn't have been funny if the javascript exploited a flaw in Firefox to take over its permissions, and then the attacker got a backdoor on your machine and spied on your plaintexts and by passed your Tor :-/ .
-
Just wanted to point out to some our newer, perhaps more gullible users, that this is NOT the real DPR. There was a scam before whereby someone managed to get BTC from vendors by using a name very similar to Dread Pirate Roberts - same name without the spaces, if I recall correctly.
Don't want to spoil anyone's fun, just wanted to let the newer folks know to stay on their guard a little. Sorry kmf
And kudos for pointing out potential security flaws.
- grahamgreene
-
I figure they realize that I am not the real DPR considering the only post I made is saying that I am not the real DPR :)
did the scammer use special characters ?
-
True, but you know how some of these new folks can be!
I think they just neglected to put the spaces in between the words Dread Pirate Roberts - unfortunately its all too easy to scam people with such nuances. :-\
-
Agree. Aside from the potential issues brought up here, the special characters are just downright obnoxious.
-
I wonder if this even got Pm'd to DPR?
-
I wonder if this even got Pm'd to DPR?
That would be a negatory ghostrider...
-
I wonder if this even got Pm'd to DPR?
That would be a negatory ghostrider...
The pattern is full.
-
This attack requires that you run JavaScript, which gets me thinking, people browse hidden services with NoScript turned off? I leave it on for everything except trusted clearnet sites.
-
This attack requires that you run JavaScript, which gets me thinking, people browse hidden services with NoScript turned off? I leave it on for everything except trusted clearnet sites.
+1 NoScript is enabled by default in TOR.
-
It's not actually enabled be default, but it does block Flash and Java even while disabled, and Torbutton blocks certain classes of malicious, potentially deanonymizing JavaScript, I've read, though I don't know if it would block this attack.