Silk Road forums
Discussion => Silk Road discussion => Topic started by: truenull on July 19, 2012, 04:08 am
-
Hello, everyone, I'm truenull.
A few months ago, I discovered multiple serious security holes in Silk Road: XSS, SQL injection, a vulnerability allowing the discovery of the Silk Road host server's public (non-Tor) IP, and CSRF.
Yesterday, I forgot my PIN (fuck me, right?) and figured I'd just wait 7 days for it to be reset, but...
A few hours later, there was downtime similar to today's. Attempts to connect to the silkroadvb5piz3r.onion website were met with a failed connection, and a message in the Tor logs indicating a server-side problem.
[Notice] Closing stream for '[scrubbed].onion': hidden service is unavailable (try again later).
After that downtime, there was a brief period allowing logins, then more downtime, but of a different sort. It seemed that there was an issue with the SR webapp or database itself- session cookies were repeatedly invalidated, and users were thus constantly kicked back to /silkroad/home (the login page), even after entering valid credentials and CAPTCHA.
During this downtime, I (stupidly) decided to do some additional testing, attempting to create a new account with the same username as my existing account (truenull). It kicked me back to /silkroad/home, and I thought nothing of it... until the downtime ended.
I logged in normally- and my account was as if it had been newly created. Balance of 0 BTC (previously ~20), account age (from buyer stats) in the minutes, and (to top it all off) a welcoming PM from SR Support.
Fuck.
So now I'm out 20 BTC. I PM SR Support (as a reply to the very helpful welcoming PM) and, on the advice of nomadbloodbath in IRC, DPR.
A few hours later, I get a reply from SR Support... informing me that my PIN had been reset, and that I would have to wait 5 days before I could change it. This was on my new account, only a few hours old, on which I had never done any sort of PIN activity.
"Fuck," I thought to myself. "This is not normal. There is a serious issue with Silk Road's database." I can be quite eloquent in my internal dialogue.
So I send off a few strongly worded PMs to SR Support, detailing my evidence. They've been read, but have not been responded to. The PM to DPR has yet to be read.
Today, there's more downtime, of a similar sort to the first downtime period yesterday (same error in Tor logs).
Analysing the situation further, by my estimate yesterday's second downtime was just long enough for a user to copy the entire SR database (disabling writes in the meantime to prevent getting a corrupted copy, which explains the session cookie issues), then reload it. If I created my "new" account during the reload, it could easily explain the loss of my account (if the DB restore script prioritized existing rows).
So, best-case scenario: SR fucked up server maintenance. Worst-case: SR is compromised by LEO.
More information as I collect it.
-
If I loose my bitcoins I am going to be very sad murp =(
-
oh you pentest the site too? :) we should trade notes sometime
I did, a while ago... eventually did a full code audit. Then I found a decent connect in my (newly-moved-to) area, and lost interest in SR. Actually, the reason I returned was to withdraw the 20BTC I left in my account... didn't work too well ::)
-
Who is this admin http://dkn255hz262ypmii.onion/index.php?action=profile;u=26708 ?
Had no posts this morning
Vendors?
DigitalAlch mentioned previously about stepping down and Indica|Sativa becoming an Admin, read around the forums and you will find the answers to many, many questions.
-
You sound like you know what you are talking about and are very good with the computer........the puzzling thing to me is how would someone of your know how "forget" your password? ::) There are programs for that if you have no long term memory.
Hello, everyone, I'm truenull.
A few months ago, I discovered multiple serious security holes in Silk Road: XSS, SQL injection, a vulnerability allowing the discovery of the Silk Road host server's public (non-Tor) IP, and CSRF.
Yesterday, I forgot my PIN (fuck me, right?) and figured I'd just wait 7 days for it to be reset, but...
A few hours later, there was downtime similar to today's. Attempts to connect to the silkroadvb5piz3r.onion website were met with a failed connection, and a message in the Tor logs indicating a server-side problem.
[Notice] Closing stream for '[scrubbed].onion': hidden service is unavailable (try again later).
After that downtime, there was a brief period allowing logins, then more downtime, but of a different sort. It seemed that there was an issue with the SR webapp or database itself- session cookies were repeatedly invalidated, and users were thus constantly kicked back to /silkroad/home (the login page), even after entering valid credentials and CAPTCHA.
During this downtime, I (stupidly) decided to do some additional testing, attempting to create a new account with the same username as my existing account (truenull). It kicked me back to /silkroad/home, and I thought nothing of it... until the downtime ended.
I logged in normally- and my account was as if it had been newly created. Balance of 0 BTC (previously ~20), account age (from buyer stats) in the minutes, and (to top it all off) a welcoming PM from SR Support.
Fuck.
So now I'm out 20 BTC. I PM SR Support (as a reply to the very helpful welcoming PM) and, on the advice of nomadbloodbath in IRC, DPR.
A few hours later, I get a reply from SR Support... informing me that my PIN had been reset, and that I would have to wait 5 days before I could change it. This was on my new account, only a few hours old, on which I had never done any sort of PIN activity.
"Fuck," I thought to myself. "This is not normal. There is a serious issue with Silk Road's database." I can be quite eloquent in my internal dialogue.
So I send off a few strongly worded PMs to SR Support, detailing my evidence. They've been read, but have not been responded to. The PM to DPR has yet to be read.
Today, there's more downtime, of a similar sort to the first downtime period yesterday (same error in Tor logs).
Analysing the situation further, by my estimate yesterday's second downtime was just long enough for a user to copy the entire SR database (disabling writes in the meantime to prevent getting a corrupted copy, which explains the session cookie issues), then reload it. If I created my "new" account during the reload, it could easily explain the loss of my account (if the DB restore script prioritized existing rows).
So, best-case scenario: SR fucked up server maintenance. Worst-case: SR is compromised by LEO.
More information as I collect it.
-
You sound like you know what you are talking about and are very good with the computer........the puzzling thing to me is how would someone of your know how "forget" your password? ::) There are programs for that if you have no long term memory.
Hello, everyone, I'm truenull.
[snipped]
Not my password, my PIN.
I figured I could remember it. I guess I was wrong- although I was very sure I knew it.
Hmm... might have been corrupted as well. Someone (nomad?) in IRC said he'd been seeing a lot of PIN resets yesterday, so make of that what you will.
-
stop f-in with SR and you wont get burnt biatch! ;)
-
Hmm yeah do you find that when you know you've entered your login info correct that it denies you access sometimes?
I swear sometimes I'm getting this. ;D
-
So is this what that latest Gawker article was referring to about LE closing in on Silk Road?
I would imagine if they could figure out the source of the db corruption, they'd want to roll it back and patch the vulnerability, then force everyone to change passwords or create new accounts if they suspect the db was compromised during that time ... then go through the labor of tracking down bitcoins, a major PITA.
I guess we'll find out.
-
quick.. everyone get their tinfoil hats! no ... suits, on! chill out people! SR will be back shortly. if i had a bitcoin for everytime someone freaked out like this when there is a minor hiccup i would be a bitcoin millionaire! Take care all. MBMC
-
So is this what that latest Gawker article was referring to about LE closing in on Silk Road?
Might be. With no reply to PMs... concern is warranted (like the hypothetical cops who hypothetically seized SR's server... get it, warranted? no? okay :'()
-
quick.. everyone get their tinfoil hats! no ... suits, on! chill out people! SR will be back shortly. if i had a bitcoin for everytime someone freaked out like this when there is a minor hiccup i would be a bitcoin millionaire! Take care all. MBMC
Can you explain my account's deletion in an uncorrupted database?
-
Hello, everyone, I'm truenull.
A few months ago, I discovered multiple serious security holes in Silk Road: XSS, SQL injection, a vulnerability allowing the discovery of the Silk Road host server's public (non-Tor) IP, and CSRF.
You did provide the results of your pentest to DPR right?
-
actually i do have one interesting story to contribute to this. last night i noticed that i was logged out and forced to log back in which happens from time to time on SR. I normally can stay logged in for a few days before getting bumped. so last night it asked me to login and i know i entered the right captch and it didnt spit out a message saying invalid login it just made me login again but this time the captch was only 3 digits and was all numbers if i recall. i think it was like 357 or something liike that. i entered the odd captcha and it let me in. ive never seen a 3 digit captcha on SR.
Perhaps DPR was deploying a new server and we got caught in the time he was setting up the connections to the DB or something. who knows. but just keep your tin foil hats on and SR will be back soon! Enjoy! MBMC
-
Hello, everyone, I'm truenull.
A few months ago, I discovered multiple serious security holes in Silk Road: XSS, SQL injection, a vulnerability allowing the discovery of the Silk Road host server's public (non-Tor) IP, and CSRF.
You did provide the results of your pentest to DPR right?
Yeah, and I got paid for it. I ended up doing a full code audit, and finding a few more flaws.
-
Now that you guys mention it the forum site has been acting real weird the past 2 days. i would suspect some kind of bug or security breach. i am no expert tho so dont take my word for it. just an opinion
-
actually i do have one interesting story to contribute to this. last night i noticed that i was logged out and forced to log back in which happens from time to time on SR. I normally can stay logged in for a few days before getting bumped. so last night it asked me to login and i know i entered the right captch and it didnt spit out a message saying invalid login it just made me login again but this time the captch was only 3 digits and was all numbers if i recall. i think it was like 357 or something liike that. i entered the odd captcha and it let me in. ive never seen a 3 digit captcha on SR.
Perhaps DPR was deploying a new server and we got caught in the time he was setting up the connections to the DB or something. who knows. but just keep your tin foil hats on and SR will be back soon! Enjoy! MBMC
Yeah, that was the session cookie invalidation. Come to think of it, I was seeing the odd captchas too. I know SR captchas are taken from a wordlist table combined with a random 3-digit number- so a database issue could cause this too.
But yeah, I don't think this was LEO. I'll keep being suspicious until it can be conclusively shown to be benign... because after all, we're buying drugs on the internet here.
-
actually i do have one interesting story to contribute to this. last night i noticed that i was logged out and forced to log back in which happens from time to time on SR. I normally can stay logged in for a few days before getting bumped. so last night it asked me to login and i know i entered the right captch and it didnt spit out a message saying invalid login it just made me login again but this time the captch was only 3 digits and was all numbers if i recall. i think it was like 357 or something liike that. i entered the odd captcha and it let me in. ive never seen a 3 digit captcha on SR.
Perhaps DPR was deploying a new server and we got caught in the time he was setting up the connections to the DB or something. who knows. but just keep your tin foil hats on and SR will be back soon! Enjoy! MBMC
The past couple days I have also been getting some awkward 3 digit captcha images. Just thought it was my internet being screwy and not loading the page completely.
-
actually i do have one interesting story to contribute to this. last night i noticed that i was logged out and forced to log back in which happens from time to time on SR. I normally can stay logged in for a few days before getting bumped. so last night it asked me to login and i know i entered the right captch and it didnt spit out a message saying invalid login it just made me login again but this time the captch was only 3 digits and was all numbers if i recall. i think it was like 357 or something liike that. i entered the odd captcha and it let me in. ive never seen a 3 digit captcha on SR.
Perhaps DPR was deploying a new server and we got caught in the time he was setting up the connections to the DB or something. who knows. but just keep your tin foil hats on and SR will be back soon! Enjoy! MBMC
Exact same thing happened to me earlier today - same situation. I never get "booted" off. Did today, and got the same 3 number captcha.
-
actually i do have one interesting story to contribute to this. last night i noticed that i was logged out and forced to log back in which happens from time to time on SR. I normally can stay logged in for a few days before getting bumped. so last night it asked me to login and i know i entered the right captch and it didnt spit out a message saying invalid login it just made me login again but this time the captch was only 3 digits and was all numbers if i recall. i think it was like 357 or something liike that. i entered the odd captcha and it let me in. ive never seen a 3 digit captcha on SR.
Perhaps DPR was deploying a new server and we got caught in the time he was setting up the connections to the DB or something. who knows. but just keep your tin foil hats on and SR will be back soon! Enjoy! MBMC
Exact same thing happened to me earlier today - same situation. I never get "booted" off. Did today, and got the same 3 number captcha.
I'll throw my hat in this one. Same story here with the boot and subsequent 3 digit captcha. Didn't log me in with the 3 digit but resumed to normal length right after and let me in.
-
I concur on the possible DB issues. At some point, I too experienced the session cookie invalidation followed by having to re-login at the home page. Only numbers appeared in the CAPTCHA as opposed to the usual combination of both.
SR could be moving servers, or they might be making big changes to the site that require the main DB to be taken offline while leaving a copy to handle interim transactions. This could be a response to increased LE scrutiny, or it could be a hack. Could be LE pulling the plug on the site after leaving it up as a honeypot. Remember, there have been several reports of btc transfers not making it to SR accounts.
As of now, SR is still completely down (hidden service is unavailable (try again later).). When it first went offline, I was getting an error from tor about the server fingerprint or key being different than expected. Either the server was moved or somehow refreshed, or I dunno....
****EDIT: SR just came back as of Thursday 19th of July 2012 04:51:02 AM UTC****
-
I noticed some database weirdness earlier today. One of the pictures that came up on the main page was xtc pills from a vendor called iDesign. IIRC, that guy ended up being a scammer and hasn't been around for months. When I clicked on the listing it came up as "listing not available" or whatever it usually says. I've also seen other main page weirdness before and it's never been a big deal, though. I've several times had situations where the picture does not match the actual listing when you click on it. So I'm not tripping, at least not at this point.
I wonder where limetless is in this thread. Usually he's got like 3-4 posts in a thread like this. Im thinking he's sleeping, but based on his post count, I'm not sure he actually sleeps.
-
I concur on the possible DB issues. At some point, I too experienced the session cookie invalidation followed by having to re-login at the home page. Only numbers appeared in the CAPTCHA as opposed to the usual combination of both.
SR could be moving servers, or they might be making big changes to the site that require the main DB to be taken offline while leaving a copy to handle interim transactions. This could be a response to increased LE scrutiny, or it could be a hack. Could be LE pulling the plug on the site after leaving it up as a honeypot. Remember, there have been several reports of btc transfers not making it to SR accounts.
As of now, SR is still completely down (hidden service is unavailable (try again later).). When it first went offline, I was getting an error from tor about the server fingerprint or key being different than expected. Either the server was moved or somehow refreshed, or I dunno....
****EDIT: SR just came back as of Thursday 19th of July 2012 04:51:02 AM UTC****
Yep. I'll give it an hour, see if it stays up.
SR need to announce scheduled maintenance (if this was scheduled maintenance), otherwise threads like these happen.
-
didn't get a message from you truenull, just stumbled on this thread. All of the phenomena you have mentioned in this thread actually makes some sense with some back-end configuration changes that have been made in the past couple of months. You know I value your input, so if you have anything you didn't put here, please contact me on the main site.
-
I contacted you on truenull's behalf DPR.
:)
nomad
-
While writing my script today, I also discovered that the captchas are not unique to each session. I can use the same captcha for around 5 minutes to log in and out. This make it easy to initiate brute force attacks.
-
Fuck. Please don't let this be happening now. The fact that no admins are chiming in is not a good sign. Admins please let us know what is going on if and when you can.
-
I consider myself technical, but no where near as technical as a lot of people here. So I have a question for people better than myself. If LE did somehow take control of SR, how much risk would there actually be for those of us who are taking the precautions we should all be taking anyway? Not saying it has or hasn't happened here, but hypothetically speaking.
As buyers, as long as we're using PGP when placing orders, and obviously keeping any of our personal information on a need to know basis, what could LE actually do? Same with sellers, as long as they take the normal precautions could LE actually do much to catch them? If I'm missing something obvious please let me know, unless it's potentially sensitive in some way (no need to give LE ideas they haven't thought of already...)
I'm not trying to stop people worrying (paranoia keeps me safe) but I like to be realistic about threats.
-
Fuck. Please don't let this be happening now. The fact that no admins are chiming in is not a good sign. Admins please let us know what is going on if and when you can.
Look up 3 posts from yours, posted 3 hours prior.
DPR is THE admin of all admin's...
-
SR is a site like any other, with the same uptime + security issues but the stakes are a lot higher.
I suspect LE is only one of DPR's concerns. There's a lot of bitcoin here waiting to be stolen if someone technical and without scruples does so. Watch the BTC drop out if / when that happens.
Good luck guys. In the meantime, I hope you are all using PGP for your comms! If the DB is compromised, that's exactly why you'd want to be encrypted.
-
Fuck. Please don't let this be happening now. The fact that no admins are chiming in is not a good sign. Admins please let us know what is going on if and when you can.
easy there creamsicle. DPR and nomad both chimed in. the site is back up. relax. it was just changes DPR and co were making. take your tin foil hats off now! its time to buy some drugs again! : )
-
Settle down, DPR was just applying a Windows Update. :) But seriously, can I recommend Xanax?
-
Bumpity bump: it's happening again.
(Also, I PM'd DPR on the forums with a link to the SR PM I sent- it probably fell into the database bitbucket or something.)
-
Fuck me, just went out to get some blocks of paper and a McDonalds, come back and THERE'S PANIC ON THE STREETS OF LONDON! Lol.
-
SHIT IS GOING DOWN, DESTROY YOUR HARD DRIVES AND SEND ME ALL YOUR DRUGS A.S.A.P
-
SHIT IS GOING DOWN, DESTROY YOUR HARD DRIVES AND SEND ME ALL YOUR DRUGS A.S.A.P
Haven't got a big enough box to ship you mine at the moment mate. ;)
-
SHIT IS GOING DOWN, DESTROY YOUR HARD DRIVES AND SEND ME ALL YOUR DRUGS A.S.A.P
Haven't got a big enough box to ship you mine at the moment mate. ;)
There's a use for your armoured car... :-)
Guru
See! I knew it was a good idea to advertise it on here.....
-
U will have to take ur used socks and shorts out of it first Lim ... :P
rofl
-
U will have to take ur used socks and shorts out of it first Lim ... :P
rofl
Pass me my gun and the Smirnoff Christie.....could be an interesting night.....
-
Probably gonna be a new gawker article tomorrow talking about the database has been compromised because of this thread.
-
Probably gonna be a new gawker article tomorrow talking about the database has been compromised because of this thread.
If they did that I may have to email them a picture of my erect cock (META data scrubbed of course) just to see if they did an article on that.
"Mods penis....is this the key to SR?" no Gawker....it's just the key to a vagina.....
-
Probably gonna be a new gawker article tomorrow talking about the database has been compromised because of this thread.
If they did that I may have to email them a picture of my erect cock (META data scrubbed of course) just to see if they did an article on that.
"Mods penis....is this the key to SR?" no Gawker....it's just the key to a vagina.....
HAHAHA fucking priceless ;D
-
U will have to take ur used socks and shorts out of it first Lim ... :P
rofl
Pass me my gun and the Smirnoff Christie.....could be an interesting night.....
yea that one is getting a little old but i just tried some new hash i made x.x
i'll come up with something better...:P
Edit: When ima rested lol
-
Forgive me if this is a noob question, but are there any plans for all SR members in place if (HYPOTHETICALLY) anything important is seized or compromised, for us to follow, besides preventive maintenance (PGP, etc)? or is preventive maintenance enough?
-
U will have to take ur used socks and shorts out of it first Lim ... :P
rofl
Pass me my gun and the Smirnoff Christie.....could be an interesting night.....
yea that one is getting a little old but i just tried some new hash i made x.x
i'll come up with something better...:P
Edit: When ima rested lol
Yeah true-say, new material is needed.