Silk Road forums
Discussion => Security => Topic started by: yoyo51 on July 30, 2013, 06:21 pm
-
So basically i opened up TOR and gone to onto SR and ive been logged into an account (i have screen shots for admins/DPR) fully logged in no pin obviously, no damage done to the account no finalizing orders (i could if i wanted full control, no pin) even tho they had 500 USD in orders, and a tracking number in MESSAGES.
Just what the fuck?, i closed tor for a new identity and of course was back to normal but this doesn't explain this wtf?
admin/staff/DPR please contact me
-
Well i submitted a message to SR support (TO THIS THREAD) hopefully the owner will confirm it wasn't him and someone will give a shit?
seems like a serious fuck up/glitch/bug to me
-
Had you closed the browser? Because I believe although I won't bet my life on it, but I believe that if you leave firefox open, even though you close tor, the cookie doesn't get deleted (depending on your cookie settings) and you're still technically logged into SR. However, if there's a long delay between SR url accesses, then the login screen does appea, even if you left the browser open.
-
Sorry i know your first language may not be english, But could you please try and state what the problem is as clearly as possible.
You logged into Sr from tor, and had screenshots of DPR's account flash on your screen and had full access and control of the account,but you could not do anything as you had no pin?
Sorry im not being rude here, Im just trying to work out what you mean Exactly
-
I reread OP's post and now see that he meant he was logged into someone else's account. I'm sorry I misunderstood. But I don't get if he meant the SR admin's (DPR's?) account.
That would be truly unprecedented and scary.
-
No, im not new i have been using SR for 2 years have near 100 transactions...
and yes i went to go onto SR so opened tor which opens the control panel and an instance of firefox (no there wasn't one running because i was watching a film and wanted to check an if an order had been shipped).
and there is a warning if you try to open another TOR.
went to sr home URL and got no login/home page just got logged straight into an account with 500 USD in orders that i could finalize.
the owner of the account isnt from my country i don't know him, hes not a vendor and i have never spoke to him.
it's just a random cookie?/fuckup
I sent SR support a few messages, im unsure what more i can do? once the real owner logs in and confirms he didn't send the messages to silk road actions can be taken?
-
???
-
I just wanted to pop in and let you know that your customer support ticket has been passed up to DPR to look into - so they're definitely looking into it.
-
What was the account name? Kinda creepy
-
Support has all the details, and it would seem DPR has seen the message.
Obviously/explanation i would like an update as others would.
-
I think an explanation would not be in order to go public, if it's an exploitable bug we don't want to parade around demanding answers, as Cirrus said DPR is looking into it and I imagine they'll message you in due course shortly. The less information we give out to public/LE, the better!
-
Fuck me...
This is some serious shit here.
I'll definitely follow this one. Please keep us updated Cirrus. No need for details, obviously. Just update with some official statement that the origin of the vulnerability was understood and fixed, so this could never happen again.
Just imagine the damage if OP was malicious or LE: $ gone and evidence for (intl.?) drug importationS. Game over.
I'm not to worried about loosing the few bucks I have in SR, I (almost) always encrypted my drop and I never use tracking, so in my case consequences would have been minimal, but still. This profile was obviously a very active and not too security oriented buyer.
Thanks for bringing this to our attention.
On a side note, is it really so hard to encrypt those tracking numbers? I wouldn't want to have my drop out on the open like that..
I think an explanation would not be in order to go public, if it's an exploitable bug we don't want to parade around demanding answers, as Cirrus said DPR is looking into it and I imagine they'll message you in due course shortly. The less information we give out to public/LE, the better!
Damn, you're fast.
-
scary shit
-
Yowzers...
-
If this is legit, it's pretty fucked up.
-
subbed
-
Hope DPR addresses it here soon. Maybe not the specifics but at least something to assuage our anxiety. Any of you computer nerds have any clue what happened?
-
Hope this is not legit. :o Thats a big problem.
-
hi folks, wow I am incredibly sorry about this. last week we were having login issues and we had to rewrite the entire system that handles logins and sessions to get the bugs out. We overlooked one thing that lead to this mistake. Basically it was checking weather a large random string of characters was unique. The odds were so low for what is called a collision that it was overlooked, but indeed a collision occurred in this case. The chances of it happening were about 1 in 10e^26. That's 10 with 26 zeros. Anyway, forensics showed it was the only incidence and we've added a uniqueness check that will prevent this from happening again. I was actually suspicious when we had a bug free release of the new system!
Thankfully moopydog was honest and didn't do anything wrong, and the user that was compromised didn't seem to mind much.
-
hi folks, wow I am incredibly sorry about this. last week we were having login issues and we had to rewrite the entire system that handles logins and sessions to get the bugs out. We overlooked one thing that lead to this mistake. Basically it was checking weather a large random string of characters was unique. The odds were so low for what is called a collision that it was overlooked, but indeed a collision occurred in this case. The chances of it happening were about 1 in 10e^26. That's 10 with 26 zeros. Anyway, forensics showed it was the only incidence and we've added a uniqueness check that will prevent this from happening again. I was actually suspicious when we had a bug free release of the new system!
Thankfully moopydog was honest and didn't do anything wrong, and the user that was compromised didn't seem to mind much.
:o well, least there was no damage done, but still this is pretty bad.. :-\.
-
hi folks, wow I am incredibly sorry about this. last week we were having login issues and we had to rewrite the entire system that handles logins and sessions to get the bugs out. We overlooked one thing that lead to this mistake. Basically it was checking weather a large random string of characters was unique. The odds were so low for what is called a collision that it was overlooked, but indeed a collision occurred in this case. The chances of it happening were about 1 in 10e^26. That's 10 with 26 zeros. Anyway, forensics showed it was the only incidence and we've added a uniqueness check that will prevent this from happening again. I was actually suspicious when we had a bug free release of the new system!
Thankfully moopydog was honest and didn't do anything wrong, and the user that was compromised didn't seem to mind much.
Nothing was done/taken from the account, the pin really does its job, and why anyone would want to finalize the orders on said account, if they are a user of the site themselves is beyond me.
-
why did I call you moopydog? I think I got my browser tabs crossed.
-
I think the odds are made up to be honest. 1 in 10e26 is like the odds of me winning the lottery 50 times in a row.
-
hi folks, wow I am incredibly sorry about this. last week we were having login issues and we had to rewrite the entire system that handles logins and sessions to get the bugs out. We overlooked one thing that lead to this mistake. Basically it was checking weather a large random string of characters was unique. The odds were so low for what is called a collision that it was overlooked, but indeed a collision occurred in this case. The chances of it happening were about 1 in 10e^26. That's 10 with 26 zeros. Anyway, forensics showed it was the only incidence and we've added a uniqueness check that will prevent this from happening again. I was actually suspicious when we had a bug free release of the new system!
Thankfully moopydog was honest and didn't do anything wrong, and the user that was compromised didn't seem to mind much.
I do not understand, the OP said that he did not try and log in, he opened SR and it went straight to another users account (no log in screen). Can you please elaborate.
-
I think the odds are made up to be honest. 1 in 10e26 is like the odds of me winning the lottery 50 times in a row.
I believe you are right, bluedev1. That number is so huge that for all intents and purposes the chance is zero. There would have to be many times the age of the universe and all people on earth trying to log in every day in all that time for it to have ocurred. It's royal BS elevated to the 1000th power!
goblin
-
that. is. fucking. scary.
on sooo many levels.
-
hi folks, wow I am incredibly sorry about this. last week we were having login issues and we had to rewrite the entire system that handles logins and sessions to get the bugs out. We overlooked one thing that lead to this mistake. Basically it was checking weather a large random string of characters was unique. The odds were so low for what is called a collision that it was overlooked, but indeed a collision occurred in this case. The chances of it happening were about 1 in 10e^26. That's 10 with 26 zeros. Anyway, forensics showed it was the only incidence and we've added a uniqueness check that will prevent this from happening again. I was actually suspicious when we had a bug free release of the new system!
Thankfully moopydog was honest and didn't do anything wrong, and the user that was compromised didn't seem to mind much.
I do not understand, the OP said that he did not try and log in, he opened SR and it went straight to another users account (no log in screen). Can you please elaborate.
Close TOR while still logged into SR and then reopen TOR. Sometimes the login session is still live and you won't have to enter login details (just like many other websites, facebook etc. "keep you logged in" with cookies) Looks like there was just a bug that can caused the person to pickup somebody's login presumably because of the way TOR by design causes a user to tunnel through the same IP as many other users.
-
I believe you are right, bluedev1. That number is so huge that for all intents and purposes the chance is zero. There would have to be many times the age of the universe and all people on earth trying to log in every day in all that time for it to have ocurred. It's royal BS elevated to the 1000th power!
I think, however, that you are yourself underestimating Murphy's law that:
"If one thing can go wrong then you can rest assured it will"
Now, if that 1 in 10^26 was a chance for the thing go well, then you would be right, but since it was a chance for something to go wrong, then neither 1 in 10^50 will stop it from doing that. Murphy's law never errs ;)
-
I was reading the OP thinking "there is no fucking way this was a session ID hash collision". Now that it's pretty clear that was the case, damn. As DPR pointed out, the odds of such a thing happening are astronomical. Normally I'd be surprised, but 2013 seems to be the year of weird shit happening (at least in my experience) so what the fuck? Let the bizarreness continue!
-
hi folks, wow I am incredibly sorry about this. last week we were having login issues and we had to rewrite the entire system that handles logins and sessions to get the bugs out. We overlooked one thing that lead to this mistake. Basically it was checking weather a large random string of characters was unique. The odds were so low for what is called a collision that it was overlooked, but indeed a collision occurred in this case. The chances of it happening were about 1 in 10e^26. That's 10 with 26 zeros. Anyway, forensics showed it was the only incidence and we've added a uniqueness check that will prevent this from happening again. I was actually suspicious when we had a bug free release of the new system!
Thankfully moopydog was honest and didn't do anything wrong, and the user that was compromised didn't seem to mind much.
I do not understand, the OP said that he did not try and log in, he opened SR and it went straight to another users account (no log in screen). Can you please elaborate.
If the site doesn't recognize the credentials you provide (the "cookie" your browser carries around and sends the site), it takes you to the login page regardless of where you were trying to go (basically). You also get a new value every time you visit the site, so basically, what's being claimed is that the new value matched the value of someone else who was already logged in -- and hence the site treated the OP as the already logged in party, and redirected to the homepage (instead of the login page). This is virtually impossible if the numbers provided are correct. The numbers will not be correct and it will be much more likely if the pseudorandom number generator is not random enough.
... see what I did there? :-X
Also, the Tor browser clears all cookies upon exit, and even though it *is* a version of Firefox, just having another Firefox browser open should not change that. It's designed to be isolated for precisely those sorts of privacy and security reasons. You can, if you choose, override that behavior -- so it isn't impossible that it may have happened to somebody, but it's very unlikely. It's also possible that it was re-started before the previous instance of the program had properly finished closing, and when the new instance started it found the old state data from the previous instance and picked it up assuming it had crashed improperly or something. Firefox itself is designed for convenience and the average user, so it does stuff like that. Whether they disable it or not for the Tor version I can't say. It's just an explanation/speculation.
-
I had the same thing happen to me on Overgrow back in the day.
Nice to hear an explanation of why this can happen.
-
Definitly scary.
If theres any lesson that us lowly peons can take out of this, is it not that we SHOULD ALL MAKE SURE TO LOG OUT BEFORE CLOSING TOR?
-
I had the same thing happen to me on Overgrow back in the day.
Nice to hear an explanation of why this can happen.
Hot damn you remember overgrow? That's waaaaaay back in the day. My first domain seizure experience.
Memories...
-
hi folks, wow I am incredibly sorry about this. last week we were having login issues and we had to rewrite the entire system that handles logins and sessions to get the bugs out. We overlooked one thing that lead to this mistake. Basically it was checking weather a large random string of characters was unique. The odds were so low for what is called a collision that it was overlooked, but indeed a collision occurred in this case. The chances of it happening were about 1 in 10e^26. That's 10 with 26 zeros. Anyway, forensics showed it was the only incidence and we've added a uniqueness check that will prevent this from happening again. I was actually suspicious when we had a bug free release of the new system!
Thankfully moopydog was honest and didn't do anything wrong, and the user that was compromised didn't seem to mind much.
Hehehe... DPR said "weather" ::)
-
I think the odds are made up to be honest. 1 in 10e26 is like the odds of me winning the lottery 50 times in a row.
I believe you are right, bluedev1. That number is so huge that for all intents and purposes the chance is zero. There would have to be many times the age of the universe and all people on earth trying to log in every day in all that time for it to have ocurred. It's royal BS elevated to the 1000th power!
goblin
Don't you mean royal BS x 10e^27 power ?
-
Definitly scary.
If theres any lesson that us lowly peons can take out of this, is it not that we SHOULD ALL MAKE SURE TO LOG OUT BEFORE CLOSING TOR?
that's right, if you actually click "logout" instead of just closing your browser, then you session will be destroyed. It is slightly more secure, though we should be protected against collisions now.
-
Woah, what if there was some dude in Sweden that had the same IP address that you were appearing as on TOR?
-
i thought our tails problems were bad!
keep up the good work DPR, good to see it's fixed (or hope so!) - however it happened!!
-
It's royal BS elevated to the 1000th power!
goblin
Don't you mean royal BS x 10e^27 power ?
Heheh, even more probly!
-
I think the odds are made up to be honest. 1 in 10e26 is like the odds of me winning the lottery 50 times in a row.
I believe you are right, bluedev1. That number is so huge that for all intents and purposes the chance is zero. There would have to be many times the age of the universe and all people on earth trying to log in every day in all that time for it to have ocurred. It's royal BS elevated to the 1000th power!
goblin
When the event occurs, the chances are 100% that the event would occur. A probability that is zero for most "intents and purposes" is still not quite zero :) The only way to really know if the odds are "BS" would be to NOT fix the bug and wait. I imagine that this is not an acceptable scenario ;)
-
I believe you are right, bluedev1. That number is so huge that for all intents and purposes the chance is zero. There would have to be many times the age of the universe and all people on earth trying to log in every day in all that time for it to have ocurred. It's royal BS elevated to the 1000th power!
goblin
The only way to really know if the odds are "BS" would be to NOT fix the bug and wait. I imagine that this is not an acceptable scenario ;)
Sounds just like HAL.
-
I better start buying some lottery tickets ::)
-
Everyone knows that a one in a million chance will happen nine times out of ten :)
-
1 in 10²⁶ is a really small probability. If you try to get this you have to try a billion times a second for the entire age of the universe, so I assume that the problem lies somewhere else.
-
1 in 10²⁶ is a really small probability. If you try to get this you have to try a billion times a second for the entire age of the universe, so I assume that the problem lies somewhere else.
For sure. Say, how did you write 10 to the 26th so that it looks like that? (10²⁶) I can't find a way in html to do so.
-
1 in 10²⁶ is a really small probability. If you try to get this you have to try a billion times a second for the entire age of the universe, so I assume that the problem lies somewhere else.
Another user is reporting that this has happened to him so I suspect you may be right, the problem does lie elsewhere. Its making me wonder how safe SR really is in regards to its own infrastructure. I imagine someone who is a little more gifted with computers could do a lot of harm with this than the people who are stumbling across this appalling security flaw.
http://dkn255hz262ypmii.onion/index.php?topic=201476.0
http://www.reddit.com/r/SilkRoad/comments/1kahg4/logged_in_to_another_users_account/
-
A 1 in 1957296094288.3876426977639788 chance happened once and then it was fixed and it still happened again. EVERYONE QUICK, BUY A LOTTERY TICKET!!!
-
A 1 in 1957296094288.3876426977639788 chance happened once and then it was fixed and it still happened again. EVERYONE QUICK, BUY A LOTTERY TICKET!!!
Gonna get 2 :) hope all this gets sorted and doesn't happen again 8)
-
That is almost a one in a two trillion chance. Then it happened again after it was fixed. I wonder what the chances of that were? ???
-
The chances that DPR was correct when he originally thought he fixed the problem is probably zero.
-
hi folks, wow I am incredibly sorry about this. last week we were having login issues and we had to rewrite the entire system that handles logins and sessions to get the bugs out. We overlooked one thing that lead to this mistake. Basically it was checking weather a large random string of characters was unique. The odds were so low for what is called a collision that it was overlooked, but indeed a collision occurred in this case. The chances of it happening were about 1 in 10e^26. That's 10 with 26 zeros. Anyway, forensics showed it was the only incidence and we've added a uniqueness check that will prevent this from happening again. I was actually suspicious when we had a bug free release of the new system!
Thankfully moopydog was honest and didn't do anything wrong, and the user that was compromised didn't seem to mind much.
The message icons says it all!
-
Was it the PHP session id? I think normally PHP checks the IP address to help prevent (even accidental/inadvertent) session hijacking, but when all the user's ip's look like 127.0.0.1 everyone looks the same.
-
Now I've gone from thinking, Random once in a lifetime event to there is something shady going on SR admins are either downplaying or covering up.
If it's happened twice there is no reason to doubt it's not happened 3, 4 even 10 times since the vast majority of users have no forum or even Reddit presence.
Seemed to coincide with the downtime and random logouts earlier today as well.
Those sort of odds rarely happen once but twice! You gotta be kidding me
-
That's pretty scary. But I'd take advantage if that was me!
If there was bitcoins on that account I'd either buy something and have it sent to me, or I'd send their coins to myself. lol
-
That's pretty scary. But I'd take advantage if that was me!
If there was bitcoins on that account I'd either buy something and have it sent to me, or I'd send their coins to myself. lol
That is because you are a fucking idiot and a thief. Good luck doing anything without their PIN, but thanks for letting us know how much of a little shithead you are. For anyone that didn't know, this cunt has already earned herself a spot on the "shit-list" over at the spare coins thread. Good luck to you in life, you're going to need it.
-
That's pretty scary. But I'd take advantage if that was me!
If there was bitcoins on that account I'd either buy something and have it sent to me, or I'd send their coins to myself. lol
That's why I'm wondering if two people came clean and were honest about it how many have not been
-
That's pretty scary. But I'd take advantage if that was me!
If there was bitcoins on that account I'd either buy something and have it sent to me, or I'd send their coins to myself. lol
That's why I'm wondering if two people came clean and were honest about it how many have not been
Purple_Scumbag000 would need the compromised user's pin to be able to do anything with the compromised user's coins.
-
This reminds me of the times i made an order and it went through twice. So i basically got two items for the price of one, it was only a qp of weed but this happened to me two times. It didn't bother me much ::).
But this is some scary shit, I think it's best to leave your coins on tails or a paper wallet anyway. Just send your coins to your account when making a purchase.
-
If this accidental session hijacking shit happened more than once, then it's definitely not some miracle of math. Sounds like the hash table ran out of space, or the code itself was flawed enough for session IDs to be reused under a specific set of circumstances. Let's all be thankful SR requires a PIN before funds can be moved :X.
-
DPR said that the probability of this happening was BS to the 26 (10^26).
Because a collision happened on this side of the universe, the probability that this is the correct odds for this collision is EXTREMELY SLIM.
Just eyeballing it, if 1 BILLION unique sessions were logged in at the silkroad since the update (slightly over-predicting the volume here), the probability of this happening is MUCH MUCH LESS THAN 0.001%!!!!!!!
Therefore, I know, with greater than 99.999% confidence, THAT THE ORIGINALLY GIVEN PROBABILITY OF A COLLISION IS BULLSHIT.
This is called rejecting the NULL HYPOTHESIS.
DPR I really hope you didn't just "lower the odds" on whatever algorithm you were using and called it a day.
There is a deep fundamental flaw in either the login system and/or the algorithm.
-
That's pretty scary. But I'd take advantage if that was me!
If there was bitcoins on that account I'd either buy something and have it sent to me, or I'd send their coins to myself. lol
That's pretty disgusting, and people like you don't belong here
-
I wonder what someone malicious would actually be capable of doing? Finalizing orders, viewing sensitive messages, sending messages to possibly scam people who trust the authentic account owner, and changing feedback on vendors. Or what if someone got access to a vendors account this way? They would potentially be able to view all of the messages on the account, some which may contain addresses and such. I don't have a vendors account so I don't know what else but I imagine they could cancel orders, message customers and somehow scam them offsite, or whatever else would be possible had this happened on a vendors account. It worries me that nobody has addressed this yet. Is SR safe to use right now?
-
I wonder what someone malicious would actually be capable of doing? Finalizing orders, viewing sensitive messages, sending messages to possibly scam people who trust the authentic account owner, and changing feedback on vendors. Or what if someone got access to a vendors account this way? They would potentially be able to view all of the messages on the account, some which may contain addresses and such. I don't have a vendors account so I don't know what else but I imagine they could cancel orders, message customers and somehow scam them offsite, or whatever else would be possible had this happened on a vendors account. It worries me that nobody has addressed this yet. Is SR safe to use right now?
All of that. Also make listings, change prices, change descriptions and request a PIN reset.
-
Although with tormail being history, Im guessing a lot of the "off site" deals and such have stopped or reduced greatly. And let's not fool ourselves into thinking it wasn't happening.. that shit WAS happening. Unless the off-site-dealing went to like gmail etc, which then.. well.. no comment!
-
Seems plenty worrying. I wonder if we'll get the full story or just have to hope the bugs get worked out.
-
Appears a reddit user had the same thing happen.
Told ya the werey not 10^26
-
1 in 10²⁶ is a really small probability. If you try to get this you have to try a billion times a second for the entire age of the universe, so I assume that the problem lies somewhere else.
Another user is reporting that this has happened to him so I suspect you may be right, the problem does lie elsewhere. Its making me wonder how safe SR really is in regards to its own infrastructure. I imagine someone who is a little more gifted with computers could do a lot of harm with this than the people who are stumbling across this appalling security flaw.
http://dkn255hz262ypmii.onion/index.php?topic=201476.0
http://www.reddit.com/r/SilkRoad/comments/1kahg4/logged_in_to_another_users_account/
Without knowing the specifics of what is happening, it's hard to gauge how easy it is for someone to deliberately use this exploit to access someone's account or whether they just have to wait till their session collides with another session. As a general rule with computing if something can happen accidentally by someone not doing anything explicit, then it can be re-performed by a more tech savvy malicious user. It would be hard to imagine a malicious user would be able to target a specific account, rather just waiting till a session id matches a current open session id. You can be pretty sure it's happened to more than the two people who have reported it so hopefully DPR is onto it.
Just another reason for people to become properly familiarized with silk road and how to use it properly and securely -i.e. learn pgp to send any sensitive data and make sure you have a pin (i'm pretty sure the latter is compulsory, i have had one for as long as i can remember).
-
Cirrus PMed me to say that DPR has looked into it and the problem has been resolved as of today.
Personally, I have my doubts, but we'll see.