Silk Road forums
Discussion => Silk Road discussion => Topic started by: truenull on August 16, 2012, 08:50 pm
-
There is currently an open vulnerability in Silk Road. I reported this to DPR three days ago, but have received no response. Thus, I am posting this notice here, in hopes that if the vulnerability is discovered before DPR deploys a fix the damage done will be mitigated.
I will not post details of this vulnerability- suffice to say that it would allow an attacker to hijack a Silk Road account and discover the account's PIN, thus allowing an attacker to take any Bitcoins in that account. The vulnerability would also allow an attacker to impersonate a Silk Road user, opening up all sorts of social engineering exploits.
It is difficult to fully protect yourself from this attack. However, some precautions may be helpful:
Whenever possible, stay logged out of your SR account.
Never browse these forums whilst logged in to SR. If you must click on a link to SR posted here, consider using an empty "tester account".
Avoid unexpected prompts from the Silk Road website asking for your PIN.
Use the NoScript plugin for Firefox, and properly configure it.
Keep only a minimal BTC balance in your Silk Road account.
While these precautions will not fully protect you, they will help reduce the damage if the vulnerability is discovered.
Thanks,
truenull
"I hacked the planet and all I got was this lousy T-shirt"
-
SR should disable javascript -- It's an XSS accident waiting to happen.
-
SR should disable javascript -- It's an XSS accident waiting to happen.
SR can't really "disable Javascript": it's a client-side thing. They don't use Javascript, but that doesn't help in the case of an XSS attack.
-
Thanks for the heads up. Sounds like it has something to do with sniffing cookies on Tor.
-
SR should disable javascript -- It's an XSS accident waiting to happen.
SR can't really "disable Javascript": it's a client-side thing. They don't use Javascript, but that doesn't help in the case of an XSS attack.
I meant the forum. Everything works fine here without local scripts.
-
SR should disable javascript -- It's an XSS accident waiting to happen.
SR can't really "disable Javascript": it's a client-side thing. They don't use Javascript, but that doesn't help in the case of an XSS attack.
I meant the forum. Everything works fine here without local scripts.
Ah, okay.
-
Seems I'm not the only one to find potential XSS vulnerabilities in SR. Try sending your concerns to indica|sativa as well. He is the admin who apparently deals with specific, day to day things like this.
This is exactly why I advised everyone to disable all scripting via NoScript, even if javascript is unlikely to be used to directly compromise your clearnet IP. Session stealing and other side channel attacks are common, and can be pulled off with relative ease compared to attacks against the tor network itself.
-
There is no Javascript on SR itself last time I checked, but there is on the forums. However, many of us have Javascript disabled, and there is no requirement at all for anybody to be using it in order to use the forum.
I think we would rest a little easier if there was a ban on scripts entirely, including on this forum. They serve no useful purpose for us and there is potential for various exploitations.
Nonetheless, I think the real danger is not XSS or other hacker tricks, but 'the human element'.
Privnote for example, the human element being laziness or simple ignorance at very best. Privnote is the essence of a side channel attack, where the security of SR and other services are not compromised directly, but by parasitical services that sidle up to SR users, hoping to gain their dependance before pulling the rug from beneath their feet. I have even heard of some vendors using it. Those vendors ought to be pilloried.
Perhaps I am some kind of PGP Puritan, but I would warn once, and then ban, anybody who continued to use such a service. If not that, then more awareness of the dangers of using such a service ought to be crystal clear to every member of the forum, there is no excuse for laxity. To that end I shall begin a witchhunt for its users, a name and shame campaign.
You cannot be kind to stupidity, it must be reviled. And ignorance, well there is a cure for that is there not.
I'm aware that vendors fear losing custom if they enforce every buyer to learn basic cryptography. However, there is also safer solutions than the use of 3rd party services, they are simply less commonly understood than the pernicious "Fuck yeah Privnote" grassroots campaign that has apparently been orchestrated in the last two or three months.. It is also the case that SR's customers will only increase in volume over the course of the next year, so one must put a foot down at some point.
If you allow buyers to behave as if this is truly a normal website, then you are putting down the seeds for a campaign of "John Busting" among a swath of the more naive customers. The law in many countries e.g. Australia, is barbaric, their enforcement officials barbarians and their civilians innocent of what the rules really say. So it seems to me we have a duty to help them, help themselves. If they do not want, then fine, but they should be well aware they are driving without a seat belt.
Of course such a side channel attack from Privnote and other 3rd party services will not affect experienced SRarians in the slightest, but it will cause reputation damage to SR and lower profits as a result.
Finally, more than a few people are beginning to imagine LEA as impotent, LE agents as mystical creatures in some faraway land. Out of sight, out of mind. I will continue posting extracts from DEA educational fodder they supply to their ground troops, in order to illustrate how they really conceive of you all. Because they think we are rats, and stupid ones at that. The enemy really exists, it is really out there, and it is malevolent. I say bulletproof SR's security, harden your personal security setups and prepare in every way you can with backups, alternative systems of communication, every available trick in the crypto-anarchic book, so that when we come under attack they shall be finding it like striking a hornets nest. Futile, and painfully expensive.
-
all of us have javaq script disabled i would like to think!!!!!!!!!!!!!!!
i see i spelled it wrong but ima buzzed and taking a break from trimming so :P
ima not gonna change it
-
all of us have javaq script disabled i would like to think!!!!!!!!!!!!!!!
i see i spelled it wrong but ima buzzed and taking a break from trimming so :P
ima not gonna change it
She's a rebel y'all! :D
Quoted Forever for Posterity :)
-
Having received no response from DPR, I will fully and publicly disclose the vulnerability on the full-disclosure mailing list as well as these forums on Monday, August 20th, unless I receive a response before then.
-
Bump for public awareness
-
You forgot one more method to protect yourself, dont keep your money in SR. Transfer in long enough to make a purchase.
anyways tor is configured to use js by default so you can assume 99% of people on here are using it, and i am too as disabling would put me into a small easily profiled pool.
-
You forgot one more method to protect yourself, dont keep your money in SR. Transfer in long enough to make a purchase.
Agreed, and added to the OP.
anyways tor is configured to use js by default so you can assume 99% of people on here are using it, and i am too as disabling would put me into a small easily profiled pool.
Personally, I'd be much more worried about browser exploits and language analysis; JS is unnecessary and a massive attack surface.
However, disabling JS alone will not fully protect you from this vulnerability! Even if you have NoScript configured, you are still vulnerable (although with more effort required from an attacker).
-
Having received no response from DPR, I will fully and publicly disclose the vulnerability on the full-disclosure mailing list as well as these forums on Monday, August 20th, unless I receive a response before then.
'scuse me sir, but if the vulnerability is so bad, could I perhaps trouble you to NOT publish it before contacting Indica|Sativa? It just seems like it might be in the best interest of all to not allow there to be much chance for it to get wildly exploited prior to being patched.
-
Having received no response from DPR, I will fully and publicly disclose the vulnerability on the full-disclosure mailing list as well as these forums on Monday, August 20th, unless I receive a response before then.
'scuse me sir, but if the vulnerability is so bad, could I perhaps trouble you to NOT publish it before contacting Indica|Sativa? It just seems like it might be in the best interest of all to not allow there to be much chance for it to get wildly exploited prior to being patched.
I've contacted Indica|Sativa via forum PM, and contacted DPR via SR PM and forum PM.
The full disclosure will only happen if I receive no response of any kind.
-
Having received no response from DPR, I will fully and publicly disclose the vulnerability on the full-disclosure mailing list as well as these forums on Monday, August 20th, unless I receive a response before then.
'scuse me sir, but if the vulnerability is so bad, could I perhaps trouble you to NOT publish it before contacting Indica|Sativa? It just seems like it might be in the best interest of all to not allow there to be much chance for it to get wildly exploited prior to being patched.
I've contacted Indica|Sativa via forum PM, and contacted DPR via SR PM and forum PM.
The full disclosure will only happen if I receive no response of any kind.
Well, I contacted I|S to point him at this thread as well, so hopefully he pokes his head in.
-
...
You are talking about xss right? no direct vulnerability on SR like an sql/whatever injection?!
not totally clear to me from your first posts.
thx
edit: 3 more days, nice. Could you disclose it anyway, if/once it gets fixed. I am no expert, just curios what creative people can come up with here :)
-
I will not publicly disclose details of the vulnerability.
...
You are talking about xss right? no direct vulnerability on SR like an sql/whatever injection?!
not totally clear to me from your first posts.
thx
edit: 3 more days, nice. Could you disclose it anyway, if/once it gets fixed. I am no expert, just curios what creative people can come up with here :)
-
noscript is a lifesaver both on the clearnet and on TOR.
-
For some reason my browser was allowing scripts for this forum, there blocked on any other website. You may want to check yours isn't the same as I do not remember changing the settings.
-
I have received a response from Indica|Sativa; I will thus not be publicly disclosing this vulnerability.
-
I have received a response from Indica|Sativa; I will thus not be publicly disclosing this vulnerability.
Hooray!
-
Would someone be kind enough to tell me how one can see if java script is enabled or not??
also what would be the proper way to configure it??
-
If it's only our pin that's exposed and not the password, then why not require both the PIN and password when placing orders or transferring money? Seems like a simple enough fix.
-
If it's only our pin that's exposed and not the password, then why not require both the PIN and password when placing orders or transferring money? Seems like a simple enough fix.
Pretty sure the vulnerability works in such a way that requiring that would then expose the password as well.
-
If it's only our pin that's exposed and not the password, then why not require both the PIN and password when placing orders or transferring money? Seems like a simple enough fix.
Pretty sure the vulnerability works in such a way that requiring that would then expose the password as well.
Yep, it can be used to expose both PIN and password.
-
Do you suppose the vulnerability is being dealt with as I got this on my last login attempt:
The Silk Road is down for maintenance. We will get the site back up asap. Thank you for your patience.
Can anyone point me to a VERY easy explanation of how to use GPG?
I have the keychain thingy and the openPGP so when I have a block of text that I encrypt, do I choose the receiver's email in the keychain thingy to "encrypt" it just for them? I'm all fucking confused.
And do I also send my public key inside or outside of the encrypted block?
-
Do you suppose you shouldn't post the same fucking thing twice in a row?
-
Pine, if you were a woman you would remind me of Jane Austen. That is all.
-
Thanks for letting me know about my little booboo. You're sweet. And such a nice demeanor. You remind me of my grandchildren...
-
How come there hasn't be a bunch of posts saying, "My account has been stolen" is what I am wondering.
-
Can anyone point me to a VERY easy explanation of how to use GPG?
I have the keychain thingy and the openPGP so when I have a block of text that I encrypt, do I choose the receiver's email in the keychain thingy to "encrypt" it just for them? I'm all fucking confused.
And do I also send my public key inside or outside of the encrypted block?
Here's a decent tutorial for Windows GPG: http://dkn255hz262ypmii.onion/index.php?topic=131.0
Sounds like you've got it down pretty well though. Write your message, encrypt with receiver's public key from your keychain, paste encrypted message.
Don't send your public key directly to the recipient. Instead, post it in the forum thread below, and then just give recipients the url to the post with your key
http://dkn255hz262ypmii.onion/index.php?topic=174.0
It's not terribly important if the URL is inside or outside the encrypted message. My suggestion: put it inside for extra security, but put it outside if you're sending your address to a seller through SR, so that your address is the only thing they see when they decrypt the message, and copy and paste your address onto your package.
-
Thanks Poor Richard, I will try again.
Wizdom