Silk Road forums
Discussion => Silk Road discussion => Topic started by: Yama Dass on December 18, 2012, 08:40 am
-
I'm noticing that the top items in each category have a modified image for SR Quick Buy superimposed on top of their original image. The image also contains an incomplete wallet address. Has the SR image server been breached? What else do they have access too? Can anyone confirm they are seeing this also?
For now I think I will be emptying out my wallet till I know what is going on.
-
Yeah, they are changing the images on the top selling items for each category. It looks like the image server is the only thing they have access to.
-
Just came to the forum because I noticed this.
Instructing to deposit directly to a nonexistent bitcoin address, in other words right into a black hole. Shit is seriously fucked up.
-
hmmm, it's possible that they are holding the private keys to these addresses but they haven't been announced to the network yet.
-
I found one on the block chain it's on Powerade's listing:
http://silkroadvb5piz3r.onion/silkroad/item/d41d321237
1152MB9F7gM8DgrSo9QJ4cHNYy4dTiM8zq
-
Ok so they are real, but some haven't been announced yet. This ain't LE, but some kind of hackers.
-
A lot of the images also have the addresses cut off/incomplete.
It is possible that some of these addresses are private or on another block chain.
I do find it interesting that they all link to different addresses though.
Examples of incomplete or cut off addresses can be seen in the links below:
1) http://silkroadvb5piz3r.onion/silkroad/item/ea8eb1546a
2) http://silkroadvb5piz3r.onion/silkroad/item/633e4081b2
3) http://silkroadvb5piz3r.onion/silkroad/item/ecc06f42f3
-
Just seen this and came to check the forum, even if the vendor is trusted no way would I be "quick buying" anyway.
-
The cut off is probably a mistake of whatever mechanism they are using to insert the overlay. In other words, they're not very good at what they are doing. :)
-
Someone in chat mentioned that it could be SQL injection hack rather than complete access to the image servers. It makes sense given the speed they are changing the images.
-
Very strange, I don't think anybody on here is stupid enough to make that mistake..
-
Apparently this happened last night too, at about the same time, when the forum and most likely the main site have the fewest users (and no admins around), but last night almost nobody noticed. Maybe it was a quick test run.
I think they are generating the bitcoin addresses on the fly and inserting them into the images so fast that they aren't even announced to the network and searchable on the block chain when you first see the images. Perhaps if we keep checking, more of them will show up. Announcing the addresses isn't critical. As long as you have the private key, you can claim the coins at a later date. It's just conventional to announce even unused addresses because people want to check and see that an address exists before they send coins to it.
-
So for us non- IT types if the photos have been breached is it safe to order?
Thanks,
Dicko
-
I was wanting to order but not even going to risk it right now, have sent my vendor a PM so I will see what he says.
-
Can't see the shipping options for any vendor, would seem the fact you can't order via the normal route due to that, and being in unison with the 'Quick Buy', am I wrong, or would make sense. Anyone seeing shipping options for any vendor?
-
My shipping option were fucked up two days ago, just blanked. Now what the fuck is this?
-
Right at Xmas as well when we all need to get our last orders in!
I hope whoever did this get Aids in the asshole. Bad aids.
-
Anyone else noticed pics changing back to the original then back to the quick buy one again? Or is it just my eyes?
-
My thoughts exactly, CaptainMal, and reports of this shit were coming up 2 days ago. It's been planned for a while.
-
Can't see the shipping options for any vendor, would seem the fact you can't order via the normal route due to that, and being in unison with the 'Quick Buy', am I wrong, or would make sense. Anyone seeing shipping options for any vendor?
I can still see shipping options for Fireworks (What I mainly order off the site) no issues.
Only seems to be drugs affected?
-
God you'd hope to think not many would fall for it? Bound to be some.
Nothing quick about typing out a Bitcoin address copied off an image, manually, vs simply sending it to the vendors account name via SR. Surely SR should just be put offline, if is possible, if in this state?
-
Most of the people just for being here, means we are "IT educated"enough, we will never send money to those address unless an official announcement is made. It could be an attack , small but an attack since just the top products on the listings are being affected and its using social engineering in order to confuse users to send money to these addresses. Lets wait for an official announcements, but it does not looks like a big deal from an IT point of view.
-
Can't see the shipping options for any vendor, would seem the fact you can't order via the normal route due to that, and being in unison with the 'Quick Buy', am I wrong, or would make sense. Anyone seeing shipping options for any vendor?
I can still see shipping options for Fireworks (What I mainly order off the site) no issues.
Only seems to be drugs affected?
Powerade shipping options now being displayed also, was manually re-added though as indicated on his profile. Perhaps every vendor will be required to manually re-add? Sad times.
-
Surely SR should just be put offline, if is possible, if in this state?
Anybody got DPR's pager number? :)
-
This is a nightmare :( Just want to make my last order before xmas
-
Can't see the shipping options for any vendor, would seem the fact you can't order via the normal route due to that, and being in unison with the 'Quick Buy', am I wrong, or would make sense. Anyone seeing shipping options for any vendor?
I can still see shipping options for Fireworks (What I mainly order off the site) no issues.
Only seems to be drugs affected?
Powerade shipping options now being displayed also, was manually re-added though as indicated on his profile. Perhaps every vendor will be required to manually re-add? Gonna treat myself to a little of Franks #4 then this comes along shits on the parade. Sad times.
Yeah I did change them manually .. my shipping options were deleted a few days ago except for the 1g amphetamine listing... thought it was just some kind of bug but now with the new pictures it's seems more like SR got hacked. I also changed the pictures manually again but it seems that someone has access to all the listings and can edit them.. scary thought but at least no BTC got withdrawn at least as of now.
Already contacted vendor support , we'll see what they have to say about it..
Greetings
-
My top 2 products keep changing, i first notice that the postage option disappeared 2 days ago and found it odd..
Now i have re-uploaded my product image and add the postage option back in twice and it keeps changing back.
Hope this gets resolved soon.
AUSexpress
-
Most of my listings seem ok for now, looks like they're hitting the most popular first, I've added a bit to my profile page warning clients.
-
looks like hacked graphic library, something like watermark on pictures in e-shops you use, they are generated automatically by gd library in some script (it explain why it is again even when vendor reupload picture, some part of code generating this was putted there)... it do not mean SR was hacked overall, probably just some door issue into this graphic script, but still
hope some official announcement from admins will follow soon
-
Yeah, they are working from the top down. Eg look at the ecstasy listings: http://silkroadvb5piz3r.onion/silkroad/category/6
All the thumbnails show the overlay. So it's a massive coordinated attack being rolled out now.
Whoever is behind this: fuck you you fuckin fucks.
Merry Xmas to all the noobs losing their coins, and Merry Xmas to all the vendors losing a full day or two worth of xmas orders, and Merry Xmas to all the clients who can't get their holiday orders in on time.
Cunts.
-
Someone in chat mentioned that it could be SQL injection hack rather than complete access to the image servers. It makes sense given the speed they are changing the images.
^^This.
SR displays images by encoding them directly into the HTML code generated by the server. Some lame ass skiddies must have found a way to inject the same "SR quick buy" generator code into every bestseller image regardless of size or any other constraints.
I have a feeling that this may be LE trying to do their best to disrupt the market. The Australian feds admit to these kinds of operations, so just imagine what their counterparts in the US and UK are trying. Of course there's an equal chance of it being some l33t an0n h4x0r script kiddie. Any knowledgeable hacker would have rooted this server ages ago without tipping anyone off. SR would just wake up one day to find all the btc gone. Trust me, there have been plenty of opportunities in the past. Looks like most knowledgeable hackers respect this place for now, although that doesn't explain the lack of attention from the "cybercrime ecosystem". Either they make too much money running scams or selling drugs on SR, or they figured hacking it in pieces would be more profitable (and practical) than pwning the whole market at once.
-
What worries me the most is how they are able to delete or somehow 'bug-up' the posting options. One could fear that they've found SQL-injection, but seeing as they've had to pull this silly 'alter pictures, remove shipping options'-stunt (which honestly can't be very effective), they probably have very limited access.
If they could steal our bitcoins, they would had done it already.
-
thought someone fucking about when im looking at a hash guys 100g and the pic is supertrips mdma pic
-
^ This. It seems to be the postage options get removed then the pic changes to quickbuy or a completely unrelated product.
No idea what's going on, hopefully just a glitch.
-
This shit is annoying as fuck. Ive been patiently waiting as my main vendor took his listings down for a couple of days to ship current orders. I set my alarm early this morning because I know he is going to put listings back up and he has very limited stock. Now I cant place order. FUCK! I want to punch glass right now!
-
Well fuck me sideways :( i was already worried that i would not be able to get my product before x-mas and now this ! Spending -mas alone without family and my kids was already a bummer and now it looks like i will be doing it sober to. whoever is behind this if i commit suicide this x-mas it is your fault. I sincerely hope that my orphaned kids devote their life's to vengeance my death by making your life a living hell for the next 20 years before they let you die but only after you have begged them for death, and perhaps then they will let you bleed out from the countless wounds you by then will have from the endless torture.
-
Well fuck me sideways :( i was already worried that i would not be able to get my product before x-mas and now this ! Spending -mas alone without family and my kids was already a bummer and now it looks like i will be doing it sober to. whoever is behind this if i commit suicide this x-mas it is your fault. I sincerely hope that my orphaned kids devote their life's to vengeance my death by making your life a living hell for the next 20 years before they let you die but only after you have begged them for death, and perhaps then they will let you bleed out from the countless wounds you by then will have from the endless torture.
You want your kids to avenge your suicide against an anonymous hacker who messed up your stream of drugs into your body. I think your kids are just going to blame you. Your a dipshit for even thinking about putting your kids through that crap. I hope you're trolling.
-
Yeah, da fuck is this. Just dropping in to keep subbed.. interesting indeed.
-
Ehrrm sry for this OT post....
......Removed text..... whoever is behind this if i commit suicide this x-mas it is your fault. I sincerely hope that my orphaned kids devote their life's to vengeance my death by making your life a living hell for the next 20 years ...removed text...
.... removed text..... I hope you're trolling.
:) no need to be upset my friend....
i was not trolling... me i thought that my post was so over the top that anyone would get it was a joke. I am without my family this holiday so i want a bag of green to keep the blues away. But i will NOT kill myself. ffs if i get that depressed i can go to a friends house. but i still want ma weed and this is the only place i can/want to buy it from
but you are right i should have added a ;) to my first post to make sure everyone understood it was a joke
-
I cant even add a postage option to my bulk listing because it tells me the characters are inappropriate. The hackers really fucked things up this time. SR better turn up their game.
-
I cant even add a postage option to my bulk listing because it tells me the characters are inappropriate. The hackers really fucked things up this time. SR better turn up their game.
Wow thas fuckd up
-
I cant even add a postage option to my bulk listing because it tells me the characters are inappropriate. The hackers really fucked things up this time. SR better turn up their game.
^
The 'inappropriate characters' filtering script, that resides somewhere inside SR's code, is there to protect against things like SQL-injection. My theory is that the hacker is someone with access to a vendor account, and that the SQL-injection 'hole' resides in a user-input only accessible to vendors (like the user-input necessary when you create a new listing - the postage option input perhaps?). This would explain why nobody has found it until now.
SR staff needs to fix the issue ASAP. If it is SQL-injection, it could be much more extensive than what we're seeing just now. If I was DPR, I would give out a BTC reward for finding holes in SR's security-systems and reporting them.
-
If I was DPR, I would give out a BTC reward for finding holes in SR's security-systems and reporting them.
Excellent idea.
-
I take it there's no evidence yet that they've changed the text of people's profiles? I'd be worried that they start changing vendors' PGP keys.
Also, has anyone found an address that has been sent BTC?
-
yeah my favorite vender just stated that this is a scam and someone hacked SR hes top 1% and says DO NOT send to said address...
FUCKING HAXORZ
-
Yeah, they are working from the top down. Eg look at the ecstasy listings: http://silkroadvb5piz3r.onion/silkroad/category/6
All the thumbnails show the overlay. So it's a massive coordinated attack being rolled out now.
Whoever is behind this: fuck you you fuckin fucks.
Merry Xmas to all the noobs losing their coins, and Merry Xmas to all the vendors losing a full day or two worth of xmas orders, and Merry Xmas to all the clients who can't get their holiday orders in on time.
Cunts.
Fuckers have targeted our top selling products and disabled all shipping options. We change the image back manually and then the watermark still remains. SR need's to get onto this immediately.
Matrix 8)
-
What the fuck is this here, amateur hour? With all the money this site makes every day, how is it in a position to be hacked so often and so easily? And why has the issue not yet been resolved?
-
Wow, I was on SR till after 2AM my time and I didn't see anything strange. This is some shit! I expect we will actually see a post from DPR very soon. I don't feel like many people would have actually fallen for this scam for the simple fact that there is no option to copy and paste that bitcoin address. It would cause too much thought to actually type that address manually.
-
Wow, I was on SR till after 2AM my time and I didn't see anything strange. This is some shit! I expect we will actually see a post from DPR very soon. I don't feel like many people would have actually fallen for this scam for the simple fact that there is no option to copy and paste that bitcoin address. It would cause too much thought to actually type that address manually.
Unfortunately, it's highly likely that if someone were really desperate to purchase a product and couldn't due to the missing shipping options, they would probably type in the address manually. Only if they didn't know better, and only if they were really, really desperate for the product.
so true.
However anybody willing to do that is desperate to lose money also.
This really sucks folks but remain calm. Nobody seems to be posting about lost BTC or finalizations screwed up or lost escrow.
I just hope DPR has noticed.
-
this is some fucked up shit.. dam hackers..
im on vacation till its all sorted, don't make no orders (there all down anyway) and no one is surely stupid enough to fall for this bs.. if they have sent coins to any overlay from my images its there own fault unfortunately.. clearly states in buyers guide not to send coins to any direct btc address and to always use the proper procedure.. order, wait till arrives, finalize.. simples..
hope SR fix it soon, as cant put listings up even if i wanted to as i cant enter any postage information..
-
i doubt its coincidence the postage fucking up aswell, the hackers probably did this to make people think its a new thing.. and like said before, the very desperate who is somewhat new or knows no better.. preying on the dumb is never lucrative tho.. fucking idiots..
-
So yeah....this is all very disconcerting isn't it.
-
If I was DPR, I would give out a BTC reward for finding holes in SR's security-systems and reporting them.
If I was DPR I wouldn't build a site like that on a dipshit-framework like Codeigniter. PHP just sucks so much by any means...
But that are - however - just my 50 cents and there is no offence intended - just talking from experience.
-
Seems for marketplace, even a black market place, of this size the level of profit, there's been remarkably little feedback from DPR (or anyone else who is in contact with him), regarding what's gone on, etc, or defense, I know they can't have a team of computer hackers non-stop guarding SR, but a one man army doesn't seem to cut it. Getting harassed by a bunch of script kiddies. It's the lack of information that concerns me most, though.
This is a lot worse than when the site goes laggy or down for a few days, genuine infiltration and partial overtaking of the entire system is really fucked up. If I were a vender unloading serious weight I'd be sweating my ass off.
-
It's the lack of information that concerns me most, though.
I agree.
Its been about 10 hours now since I first noticed this and no word at all from DPR or any SR mods.
Very strange.
-
I cant even log into SR.
-
I'm logged in but I notice its showing up on more images now although when I put things in my cart shipping options are actually showing up...that wasn't the case a few hours ago.
Hmm....come'on admins get to the bottom of this.
-
Not wanting to add to the paranoia but uhm... isn't the URL usually http://silkroadvb5piz3r.onion/silkroad/home rather than just http://silkroadvb5piz3r.onion/silkroad?
-
Most of the people just for being here, means we are "IT educated"enough, we will never send money to those address unless an official announcement is made. It could be an attack , small but an attack since just the top products on the listings are being affected and its using social engineering in order to confuse users to send money to these addresses. Lets wait for an official announcements, but it does not looks like a big deal from an IT point of view.
WOW not a big deal really
SO IF SOMEONE HACKS INTO YOUR BANK ACCOUNT YOUR LOCAL BANK AND JUST CHANGES AROUND A FEW ICONS THIS WOULD NOT bother you this would drive me up the wall I would take my money out of that bank 5 seconds after I heard that my banking account was hacked I don't give a fuck if they only hacked it to change my middle letter of my name the fact that they hacked any portion of my banking account is unacceptable in any measure. Therefore having silk road hacked in any fashion is unacceptable this is not fake virtual money in my account it is actual real money that I earned. the security at silk Road has gone downhill fast over the past six months and the pending reports from wiki saying that LE is going to be doing a massive attack on silk Road towards the end of this year and the beginning of next year makes me think that silk roads days are numbered.
better find you dealer on here that will deal with you off of SR SR might have six months of life left in her before she's done
-
So yeah....this is all very disconcerting isn't it.
Extremely. Frankly what worries me more is that people will overreact and vendors won't be around. If there were a better attack, they would have used it. This really is... kind of pathetic. Don't get me wrong, it's more than I could have pulled off, but it's a pretty pathetic attack all the same.
I rather like how popular Silk Road has gotten. Granted, it makes it more of a target, but you can get virtually anything you want and the whole free market thing is driving the quality up and the prices down. I think that's pretty damn cool... though it occurs to me that I've never gotten anything except stimulants... Well, the option is nice and all ::)
Not wanting to add to the paranoia but uhm... isn't the URL usually http://silkroadvb5piz3r.onion/silkroad/home rather than just http://silkroadvb5piz3r.onion/silkroad?
... um... maybe I spoke too soon? Yes. You're right. wtf?
-
I know they can't have a team of computer hackers non-stop guarding SR
Why not? Maybe not guarding non-stop, but shouldn't there be at least two people in different timezones who can be called upon when the need arises? Shouldn't there be someone who's paid to find flaws in the system, and then fix those flaws?
As I said above - it looks like amateur hour sometimes. I'm telling you, if SR isn't going to be run with all the seriousness it deserves, it's going to blow up in our faces soon.
-
fucking thing sucks.
-
I know they can't have a team of computer hackers non-stop guarding SR
Why not? Maybe not guarding non-stop, but shouldn't there be at least two people in different timezones who can be called upon when the need arises? Shouldn't there be someone who's paid to find flaws in the system, and then fix those flaws?
As I said above - it looks like amateur hour sometimes. I'm telling you, if SR isn't going to be run with all the seriousness it deserves, it's going to blow up in our faces soon.
Let's not forget that people have undoubtedly been trying to hack the site for over a year now, and this is the first time it's really been accomplished in any way at all. That's really not so bad. I'm not saying it's completely excusable, but c'mon. It's not nearly as bad as it could be.
-
So yeah....this is all very disconcerting isn't it.
Extremely. Frankly what worries me more is that people will overreact and vendors won't be around. If there were a better attack, they would have used it. This really is... kind of pathetic. Don't get me wrong, it's more than I could have pulled off, but it's a pretty pathetic attack all the same.
I rather like how popular Silk Road has gotten. Granted, it makes it more of a target, but you can get virtually anything you want and the whole free market thing is driving the quality up and the prices down. I think that's pretty damn cool... though it occurs to me that I've never gotten anything except stimulants... Well, the option is nice and all ::)
Not wanting to add to the paranoia but uhm... isn't the URL usually http://silkroadvb5piz3r.onion/silkroad/home rather than just http://silkroadvb5piz3r.onion/silkroad?
... um... maybe I spoke too soon? Yes. You're right. wtf?
Ever since it the marketplace came back from the LOONNNGGG downtime a bit back, that's the address I've seen (the second one listed). It's only been recently that I've noticed the first one start to show up at the login page every now and then.
-
Let's not forget that people have undoubtedly been trying to hack the site for over a year now, and this is the first time it's really been accomplished in any way at all. That's really not so bad. I'm not saying it's completely excusable, but c'mon. It's not nearly as bad as it could be.
I don't know... I don't usually read the forums a lot, so I really don't know what happened in the past. But people make it sound like it has happened before.
If this is really the first time, then yeah, maybe it's not as bad as I'm thinking it is in my head. Still not excusable though (v. the really great analogy of a bank site above).
-
So yeah....this is all very disconcerting isn't it.
Extremely. Frankly what worries me more is that people will overreact and vendors won't be around. If there were a better attack, they would have used it. This really is... kind of pathetic. Don't get me wrong, it's more than I could have pulled off, but it's a pretty pathetic attack all the same.
I rather like how popular Silk Road has gotten. Granted, it makes it more of a target, but you can get virtually anything you want and the whole free market thing is driving the quality up and the prices down. I think that's pretty damn cool... though it occurs to me that I've never gotten anything except stimulants... Well, the option is nice and all ::)
Not wanting to add to the paranoia but uhm... isn't the URL usually http://silkroadvb5piz3r.onion/silkroad/home rather than just http://silkroadvb5piz3r.onion/silkroad?
... um... maybe I spoke too soon? Yes. You're right. wtf?
Ever since it the marketplace came back from the LOONNNGGG downtime a bit back, that's the address I've seen (the second one listed). It's only been recently that I've noticed the first one start to show up at the login page every now and then.
I'm quite sure it used to be "http://silkroadvb5piz3r.onion/index.php/silkroad/<whatever>". Then it changed after the downtime and lost the index.php. But it still had "/silkroad" usually; depends on what page you were on.
Edit: I was looking at a page without the "silkroad"... nevermind, it looks the same to me.
-
I know they can't have a team of computer hackers non-stop guarding SR
Why not? Maybe not guarding non-stop, but shouldn't there be at least two people in different timezones who can be called upon when the need arises? Shouldn't there be someone who's paid to find flaws in the system, and then fix those flaws?
As I said above - it looks like amateur hour sometimes. I'm telling you, if SR isn't going to be run with all the seriousness it deserves, it's going to blow up in our faces soon.
silk Road security sucks you got one guy running a website with over 50,000 members this is stupid and he's managing our money do you people not see this this one guy is managing this whole thing our money and our identity "my pgp addresses"and security.
this site is being manned by one person's stupid stupid stupid .
I mean come on the owner of this site has to be making hundreds of thousands a year at least in this is how he repays us for making him fucking rich no security no IT team nothing just him fuck this I'm going with that guy that's been advertising on here 100% security and no arrests receiving policy. no BTC no wondering if your secure or not much safer and a much more reliable vendor I bought three things from them have not had a single problem.
I cannot say that about silk Road from day one of being a member there's always a problem always package shows up 15 days after I ordered it sitting in escrow for fucking ever.
-
Just to be sure though. Withdrawing and depositing into the SR account still works right. They only forced the images and postal options to change but the framework still works as normal?
Is this right?
-
I know they can't have a team of computer hackers non-stop guarding SR
Why not? Maybe not guarding non-stop, but shouldn't there be at least two people in different timezones who can be called upon when the need arises? Shouldn't there be someone who's paid to find flaws in the system, and then fix those flaws?
As I said above - it looks like amateur hour sometimes. I'm telling you, if SR isn't going to be run with all the seriousness it deserves, it's going to blow up in our faces soon.
Let's not forget that people have undoubtedly been trying to hack the site for over a year now, and this is the first time it's really been accomplished in any way at all. That's really not so bad. I'm not saying it's completely excusable, but c'mon. It's not nearly as bad as it could be.
wow you are a really stupid stupid person do you mean to tell me that if your bank does have a little hick up with somebody hacking it that you lieve your money in that bank you're a fucking moron.
-
Just to be sure though. Withdrawing and depositing into the SR account still works right. They only forced the images and postal options to change but the framework still works as normal?
Is this right?
At least this is how it looks like for now. From what has been posted in the forums over the last few days I wouldn't expect much more to come.
However, someone has done his homework pretty good and I wouldn't underestimate his skills, so we may stay curious what comes next. But as the people that we are, doing illegal stuff, we aren't likely to be shocked by whatever happens, ain't we? ;)
Regards
-
silk Road security sucks you got one guy running a website with over 50,000 members this is stupid and he's managing our money do you people not see this this one guy is managing this whole thing our money and our identity "my pgp addresses"and security.
this site is being manned by one person's stupid stupid stupid .
I mean come on the owner of this site has to be making hundreds of thousands a year at least in this is how he repays us for making him fucking rich no security no IT team nothing just him fuck this I'm going with that guy that's been advertising on here 100% security and no arrests receiving policy. no BTC no wondering if your secure or not much safer and a much more reliable vendor I bought three things from them have not had a single problem.
I cannot say that about silk Road from day one of being a member there's always a problem always package shows up 15 days after I ordered it sitting in escrow for fucking ever.
I'm pretty sure an operation the size of Silk Road has never been seen on the darknet before.
Running and scaling the infrastructure required for this utopia you and I enjoy is uncharted territory, even for DPR.
If this were a clearnet operation, no problem - you'd be outsourcing the shit to Amazon.
I doubt there's anyone approaching DPR with a legitimate cloud server solution for the darknet.
This is a pretty fucking minor glitch in the scheme of things.
-
I know they can't have a team of computer hackers non-stop guarding SR
Why not? Maybe not guarding non-stop, but shouldn't there be at least two people in different timezones who can be called upon when the need arises? Shouldn't there be someone who's paid to find flaws in the system, and then fix those flaws?
As I said above - it looks like amateur hour sometimes. I'm telling you, if SR isn't going to be run with all the seriousness it deserves, it's going to blow up in our faces soon.
SR is not something where DPR can just hire some IT Security Specialists out of the paper to keep tabs on the site 24/7. No one but DPR actually knows anything about how the site is run, which is how it should be. It's an anonymous market place on the hidden web selling a lot of illegal products. DPR obviously has very limited options on how the site is run. Let's give him/her a chance to make a statement and then go from there. DPR came through some difficult times recently so lets give him/her a go to rectify this problem and have a little patience.
-
stop worrying about the url. you can access the site with either. has nothing to do with the injection attack.
since it seems people don't really have an idea how this works, i will explain. since there is obviously a security hole and an exploit is being used to inject code into the SQL server, the hackers can continue to inject bits of code into the server that will change small things on the server or add up to a much larger attack. people keep saying that they only got access to the imageserver... that's not true. they gained access to the main server. that is how they removed the shipping option. with enough time, they could completely rewrite the database to reroute your BTC to wherever they want and make it TRANSPARENT to you. you should remove all your btc immediately until this issue is resolved. once a security hole is identified, it can be used to mount a much larger attack/hack/spoof, there is literally a plethora of things they could do.
as of now, the main site is INSECURE and i would recommend everyone to stay away for now until the issue is resolved.
as far as you know, the hackers could have found an exploit in your TOR browser, implemented an image (or something else) in sr that can lead to your OS becoming compromised/hacked/infected.
FAIR WARNING...
-
I know they can't have a team of computer hackers non-stop guarding SR
Why not? Maybe not guarding non-stop, but shouldn't there be at least two people in different timezones who can be called upon when the need arises? Shouldn't there be someone who's paid to find flaws in the system, and then fix those flaws?
As I said above - it looks like amateur hour sometimes. I'm telling you, if SR isn't going to be run with all the seriousness it deserves, it's going to blow up in our faces soon.
Let's not forget that people have undoubtedly been trying to hack the site for over a year now, and this is the first time it's really been accomplished in any way at all. That's really not so bad. I'm not saying it's completely excusable, but c'mon. It's not nearly as bad as it could be.
wow you are a really stupid stupid person do you mean to tell me that if your bank does have a little hick up with somebody hacking it that you lieve your money in that bank you're a fucking moron.
Mate, your the stupid one!! ??? Stop spreading your innuendos and baseless speculation and get a grip. You wouldn't have a clue on how anything here operates, none of us do. Show a little patience, stop whinging about everything and give DPR a chance to sort it out. What DPR makes on SR and how many members there are is frankly none of your business, or anyone's for that matter, other than DPR's.
-
stop worrying about the url. you can access the site with either. has nothing to do with the injection attack.
since it seems people don't really have an idea how this works, i will explain. since there is obviously a security hole and an exploit is being used to inject code into the SQL server, the hackers can continue to inject bits of code into the server that will change small things on the server or add up to a much larger attack. people keep saying that they only got access to the imageserver... that's not true. they gained access to the main server. that is how they removed the shipping option. with enough time, they could completely rewrite the database to reroute your BTC to wherever they want and make it TRANSPARENT to you. you should remove all your btc immediately until this issue is resolved. once a security hole is identified, it can be used to mount a much larger attack/hack/spoof, there is literally a plethora of things they could do.
as of now, the main site is INSECURE and i would recommend everyone to stay away for now until the issue is resolved.
as far as you know, the hackers could have found an exploit in your TOR browser, implemented an image (or something else) in sr that can lead to your OS becoming compromised/hacked/infected.
FAIR WARNING...
This is a joke... right? I mean you don't really expect us all to believe that if what you're claiming is possible, they would have tipped their hand with this pathetic attempt to scam a few bitcoins out of people... do you?
-
that's exactly what i'm saying. i'm an it professional. i know what i'm talking about. it takes awhile to completely compromise a SQL server. they probably can only inject small bits of code at a time. that's why you saw the images changing over time. it takes time to mount a comprehensive attack via SQL injection.
just be safe man. not trying to scare anyone.
-
Just to be sure though. Withdrawing and depositing into the SR account still works right. They only forced the images and postal options to change but the framework still works as normal?
Is this right?
Just had an issue withdrawing all my coins, kept saying insufficient funds when I tried to withdraw everything but leaving a small amount of bitcoin seemed to allow me to get the rest out, had me worried for a few mins as it seemed the withdraw option wasn't working.
Not leaving anything in my SR account with this shit going on.
This is to be expected. Bitcoins are divisible to like, 8 decimal places. The site rounds when it displays your total -- you really were trying to withdraw more funds than you had :)
-
that's exactly what i'm saying. i'm an it professional. i know what i'm talking about. it takes awhile to completely compromise a SQL server. they probably can only inject small bits of code at a time. that's why you saw the images changing over time. it takes time to mount a comprehensive attack via SQL injection.
just be safe man. not trying to scare anyone.
Well, what you said sounded awfully alarmist. And I'm sorry, but I don't agree with your assessment. You're welcome to your opinion, but that's just not how computers work. If it was going to take time, there's a reason it would take time. Computers don't sit there going "oh look, it's 1'oclock, let's have tea!" What are you saying, the CPU can't crunch the numbers fast enough, yet it has time to waste with this pathetic image altering? I don't see how that's possible.
-
Something interesting, I was able to add the postage option again as long as the name is "name". Looks like the hackers forgot that lol.
-
Just to be sure though. Withdrawing and depositing into the SR account still works right. They only forced the images and postal options to change but the framework still works as normal?
Is this right?
Just had an issue withdrawing all my coins, kept saying insufficient funds when I tried to withdraw everything but leaving a small amount of bitcoin seemed to allow me to get the rest out, had me worried for a few mins as it seemed the withdraw option wasn't working.
Not leaving anything in my SR account with this shit going on.
This is to be expected. Bitcoins are divisible to like, 8 decimal places. The site rounds when it displays your total -- you really were trying to withdraw more funds than you had :)
Ahh cool thanks for clarifying, I will delete my previous post before someone latches onto another reason to panic ;)
-
Actually, when it comes to SQL and INJECTION attacks (not how fast your CPU can run! LOL) usually an attack will only allow SOME code to be injected. There is not just an open hole that they can do what they want with. The perpetual hole is absolutely possible, but like i said, it takes time to inject ALL your code that is associated with your hack, have it assemble within the DB, and carry out the attack. it takes time. i'm sure that they are continuously working on it as we speak.
have fun!
-
I love everything that DPR has done for the community, but I don't think he will be the man leading this revolution in the long term. We need a distributed market place software, open source and developed publicly (perhaps on Github, or a hidden service git repository), where anyone can review the code. With enough eyes, all security vulnerabilities are shallow, but SR is developed in secret by maybe 3-5 people. There's no way to know for sure that it is secure, until something like this happens, and then you know for sure that it isn't.
-
Actually, when it comes to SQL and INJECTION attacks (not how fast your CPU can run! LOL) usually an attack will only allow SOME code to be injected. There is not just an open hole that they can do what they want with. The perpetual hole is absolutely possible, but like i said, it takes time to inject ALL your code that is associated with your hack, have it assemble within the DB, and carry out the attack. it takes time. i'm sure that they are continuously working on it as we speak.
have fun!
1. Okay, it takes time. So explain why?
2. Okay, so this image alteration isn't them being fucking retarded and tipping their hand (i.e. warning people there's a vulnerability before they can fully use it). Explain how?
You've done neither. I'm sorry, but I must conclude you don't have any clue what you're talking about. Thank you for trying to help with things you don't know though -- it was a nice sentiment :)
-
You obviously don't know what you're talking about. I won't lament over that though as there are much more important thing to discuss. To answer your question, in the SQL database environment, there are LIMITATIONS on sizes of things. So, case in point, it seems that they initially gained access to change images. Im POSITIVE there is an image size limit. There is one glaring example of limitation. On other systems of the SQL environment, the data sized can be greatly reduced (images can be large). So they find a hole, exploit it (send their bits of code via the exploit to save to the server), they design the code so that when all of the code is received by the server, it will automatically assemble into a complete "program" (hack) and carry out whatever it wants. Usually the first thing to go for is to design your hack so that you gain admin rights over the server. once you have admin rights you then have that perpetual hole i mentioned where you can literally go for the gusto and hack the shit out of said site (IE TAKE YOUR BTC).
again, not being alarmist, just trying to shed some light on how a sql injection attack works.
one more thing, please just do some reading on google of what sql injections are before coming off like a jerk.
thanks.
have fun!
-
I have nothing useful to add, just marking this thread so I can back to it easily as it's become the de facto official thread about this issue as far as I can see.
-
The gist of this is that all users with a substantial amount of money in their SR account should withdraw it into their personal wallet(s). Hopefully DPR or an admin will come forward soon and address this. At least put a huge warning on the main page to avoid sending bitcoins to these addresses. However, who knows how deep the hackers have gotten (keeping the site mostly unchanged to keep up the ruse). Until this all gets fixed I will probably buy my holiday goodies thru tormail. I feel bad for the noobs that fell for this
-
You obviously don't know what you're talking about. I won't lament over that though as there are much more important thing to discuss. To answer your question, in the SQL database environment, there are LIMITATIONS on sizes of things. So, case in point, it seems that they initially gained access to change images. Im POSITIVE there is an image size limit. There is one glaring example of limitation. On other systems of the SQL environment, the data sized can be greatly reduced (images can be large). So they find a hole, exploit it (send their bits of code via the exploit to save to the server), they design the code so that when all of the code is received by the server, it will automatically assemble into a complete "program" (hack) and carry out whatever it wants. Usually the first thing to go for is to design your hack so that you gain admin rights over the server. once you have admin rights you then have that perpetual hole i mentioned where you can literally go for the gusto and hack the shit out of said site (IE TAKE YOUR BTC).
again, not being alarmist, just trying to shed some light on how a sql injection attack works.
one more thing, please just do some reading on google of what sql injections are before coming off like a jerk.
thanks.
have fun!
I pride myself on always being open to being wrong. I care about truth more than I care about being right. If you're right, I want to know it. But what I'm saying is this: you are not telling me WHAT THE LIMITING FACTOR IS. Why can they not just do this all at once? Prepare the code beforehand, launch the attack, and have it done within minutes? THAT is my question that you're not addressing, and I'm trying to point out to anyone who doesn't see it that AS STATED, even if you're right (which I don't believe you are), your argument doesn't make sense.
Either they're fucking retarded to tip their hand this way, or what you're saying is wrong. I just don't know how else to put this: what's stopping them from doing it ALL AT ONCE? The CPU can't process it fast enough? The database doesn't allow more than one change every minute? I mean there MUST be a reason, and you're not giving it.
-
[...]
again, not being alarmist, just trying to shed some light on how a sql injection attack works.
[...]
If you want to teach someone on how something _works_ it would be a good idea to start a fresh thread in a dedicated forum. I think this is just the wrong place.
And I absolutely disagree with every statement you made. Please, get some _real_ education and come back afterwards.
[...]
one more thing, please just do some reading on google of what sql injections are before coming off like a jerk.
[...]
You better follow your own advice but I'd say don't use google but visit a class on IT-security.
-
Just to be sure though. Withdrawing and depositing into the SR account still works right. They only forced the images and postal options to change but the framework still works as normal?
Is this right?
Just had an issue withdrawing all my coins, kept saying insufficient funds when I tried to withdraw everything but leaving a small amount of bitcoin seemed to allow me to get the rest out, had me worried for a few mins as it seemed the withdraw option wasn't working.
Not leaving anything in my SR account with this shit going on.
Did the BTCs reached your wallet?
I also tried to withdraw my BTCs and it worked on SR but the transaction was never transmitted to the bitcoin network, only the balance in my SR account was removed, but the BTCs didnt reached my address (there is even no unconfirmed transaction). This was ~2h ago :(
-
This does not look good at all and I would advise everyone to put their orders on hold until this is resolved.
If someone has compromised the Image servers/is able to push SQL code through then security could be in real danger. If this is the case then they will be able to do more than just manipulate the images.
At least withdrawals are still working :)
-
Hmmm guys...
I withdrew my money to my client wallet and once my blockchain got caught up I didn't have my money.
I checked to see where it went on blockchain.info, and it got split into its integer value and remainder, both sent to different addresses. I'm not sure if that's some SR method of bitcoin tumbling and it will get here in a few minutes (it's already been 20 minutes now) or if my bitcoins just got sent to someone elses addresses.
From my knowledge of SQL injections, it's certainly possible for them to modify a withdraw query string to set the recipient address to a malicious one, but I want to know if anyone else is having this problem or if I shouldn't be worried about this.
-
the "quickness" of carrying out the hack depends upon what they exploited. ie cache tables, blocks, images, whatever.... each "system" has different data size limitations... think of it like a cardboard box. once the box is full, you can't put anything else in it. so you have to empty the box, and refill it. then after you do that however many times it takes, then you have to have all that dumped stuff assemble, then execute. i guess it's a slightly difficult concept to understand unless you are a techie. trust me. it takes time to mount a complete attack via just sql injection. the thing that is scariest is that they could have already locked out admin PRIOR to changing all the images and could be furiously writing code to further exploit the site (ie a completely compromised server) who says that admin still has access? why are they not saying anything right now? because they may be shitting bricks right now and now know what to do except take the site down...
the pissing part is that most likely they hackers simply identified a security hole because admin didn't keep apache/solr/whatever properly updated.
that's what happened to sony. just didn't install a server update. that's all it takes.
-
[...]
again, not being alarmist, just trying to shed some light on how a sql injection attack works.
[...]
If you want to teach someone on how something _works_ it would be a good idea to start a fresh thread in a dedicated forum. I think this is just the wrong place.
And I absolutely disagree with every statement you made. Please, get some _real_ education and come back afterwards.
[...]
one more thing, please just do some reading on google of what sql injections are before coming off like a jerk.
[...]
You better follow your own advice but I'd say don't use google but visit a class on IT-security.
OKIE DOKIE! I love how you explained to everyone here how it works. idiot. keep trollin...
-
Just posting here to confirm that I was able to withdraw bitcoins to personal wallet until things are resolved. Whoever posted above about the insufficient funds msg -- you can withdraw 15.07432 bitcoins, but can't really get the exact amount you have in SR because they round the number to the nearest .01 in $$. I had something like 20.07 BTC, and just withdrew 20.065 and it worked fine.
I'd also echo the sentiments re: timing -- how horrible right when everyone is putting in their orders to arrive before the weekend...
I have some faith that things will be restored in due time... hopefully sooner than later.
-
Just to be sure though. Withdrawing and depositing into the SR account still works right. They only forced the images and postal options to change but the framework still works as normal?
Is this right?
Just had an issue withdrawing all my coins, kept saying insufficient funds when I tried to withdraw everything but leaving a small amount of bitcoin seemed to allow me to get the rest out, had me worried for a few mins as it seemed the withdraw option wasn't working.
Not leaving anything in my SR account with this shit going on.
Did the BTCs reached your wallet?
I also tried to withdraw my BTCs and it worked on SR but the transaction was never transmitted to the bitcoin network, only the balance in my SR account was removed, but the BTCs didnt reached my address (there is even no unconfirmed transaction). This was ~2h ago :(
OK false alarm, i got my BTCs :) There was an error in my blockchain checking script...
-
the "quickness" of carrying out the hack depends upon what they exploited. ie cache tables, blocks, images, whatever.... each "system" has different data size limitations... think of it like a cardboard box. once the box is full, you can't put anything else in it. so you have to empty the box, and refill it. then after you do that however many times it takes, then you have to have all that dumped stuff assemble, then execute. i guess it's a slightly difficult concept to understand unless you are a techie. trust me. it takes time to mount a complete attack via just sql injection. the thing that is scariest is that they could have already locked out admin PRIOR to changing all the images and could be furiously writing code to further exploit the site (ie a completely compromised server) who says that admin still has access? why are they not saying anything right now? because they may be shitting bricks right now and now know what to do except take the site down...
the pissing part is that most likely they hackers simply identified a security hole because admin didn't keep apache/solr/whatever properly updated.
that's what happened to sony. just didn't install a server update. that's all it takes.
I know for a fact that they apply security updates. How? I have eyes and poke around at things. Just take my word for it. Also, I applaud your tone, sir, it's very neutral now. That said... you still haven't told me what the box represents. Why can't they fill up a dozen at once?
-
ok, last post on this as i have to get to the doctor and pharmacy (haha), but they can't fill numerous "boxes" all at once because an injection would be targeting ONE "box". So they exploit the shit out of what they have exploited. ie, if you only have ONE cache table that is exploitable, you can't fill it simultaneously 30 times. you have to fill, save (empty the box), fill, save, fill, save, fill, save, ASSEMBLE, EXECUTE.
have fun!
-
OKIE DOKIE! I love how you explained to everyone here how it works. idiot. keep trollin...
Just because you created the illusion to anyone that you explained something doesn't mean you explained anything at all.
Most of the people here aren't tech aware so you may tell what you want and hope that a few of them believe you. I disagree with you and by just insulting people most of your post' readers will just not believe you.
-
I'm copying as many vendor keys as can in case something happens to the site, they can authenticate themselves in other places. Will dump what I have in a while.
-
ok, last post on this as i have to get to the doctor and pharmacy (haha), but they can't fill numerous "boxes" all at once because an injection would be targeting ONE "box". So they exploit the shit out of what they have exploited. ie, if you only have ONE cache table that is exploitable, you can't fill it simultaneously 30 times. you have to fill, save (empty the box), fill, save, fill, save, fill, save, ASSEMBLE, EXECUTE.
have fun!
... I'm ashamed that my patience outlasted your misguided knowledge. You obviously do something related to computers, yes. But write exploits, uncover them, or actually understand how a computer executes code... you do not sir. Enjoy your pharmacy drugs, and please stop scaring the Hell out of people who don't know any better.
-
that's exactly what i'm saying. i'm an it professional. i know what i'm talking about.
If that is the case, I wouldn't hire you. The stuff you're saying simply isn't correct. Just because you can manipulate data in the database, doesn't mean you can execute any code at all.
But answer me this: If they were able to deploy a full-scale server take-over through SQL-injection (which is rarely possible), why the FUCK would they try to scam people with images? Stop trying to spread fear and panic, you little forum terrorist.
-
Maybe im living in lala land but cant we all chip a few btc as like protection money to some next level group of super hackers? I mean surely anonymous could do with some pot or some btc to screw with?
-
ok, last post on this as i have to get to the doctor and pharmacy (haha), but they can't fill numerous "boxes" all at once because an injection would be targeting ONE "box". So they exploit the shit out of what they have exploited. ie, if you only have ONE cache table that is exploitable, you can't fill it simultaneously 30 times. you have to fill, save (empty the box), fill, save, fill, save, fill, save, ASSEMBLE, EXECUTE.
have fun!
... I'm ashamed that my patience outlasted your misguided knowledge. You obviously do something related to computers, yes. But write exploits, uncover them, or actually understand how a computer executes code... you do not sir. Enjoy your pharmacy drugs, and please stop scaring the Hell out of people who don't know any better.
Don't be ashamed SS, patience is a quality seldom found these days, a most admirable trait in my eyes. As you said, lets all show some patience until DPR makes an official statement and stop speculating on whats happened. Once an official statement is made, then we can post on the facts if one so desires. :)
-
I have full confidence that DPR will take care of this quick buy bullshit ASAP. SR is my favorite website and DPR is kick ass!
Thanks DPR!
-
Maybe im living in lala land but cant we all chip a few btc as like protection money to some next level group of super hackers? I mean surely anonymous could do with some pot or some btc to screw with?
We ARE already paying for protection of our clients and ourselves. It's called commission. Regarding the amount of cash the people behind SR make one should be able to expect an active team of administrators who are on top of things when they happen.
-
We ARE already paying for protection of our clients and ourselves. It's called commission. Regarding the amount of cash the people behind SR make one should be able to expect an active team of administrators who are on top of things when they happen.
Don't you think that if there was a serious security hole thet SR would be still online?
There is a minor flaw which affects some vendors but not all. No BTC traffic is in danger nor are accounts at all. Just think about it as a few glitches inside the system and everything will be alright.
In a few hours everything will be as usual. Silent, discreet, hidden. Be happy.
-
Has anyone managed to deposit coins into SR today?
Also had trouble getting to the log in page a few times, tried it a minute later and I didn't even need to log in, went straight to the home page, which is bit concerning.
-
I know they can't have a team of computer hackers non-stop guarding SR
Why not? Maybe not guarding non-stop, but shouldn't there be at least two people in different timezones who can be called upon when the need arises? Shouldn't there be someone who's paid to find flaws in the system, and then fix those flaws?
As I said above - it looks like amateur hour sometimes. I'm telling you, if SR isn't going to be run with all the seriousness it deserves, it's going to blow up in our faces soon.
Cryptography and the vulnerabilities of the dark web are much less likely to be in issue in regards to Silk Road staying around, than that of simple human ratting / incompetence. Obviously a team of top hackers working under you would help in regards to these situations, but then they'd be liabilities at the same time purely due to the position of trust. But there still needs to be a balance IMO, today is/was an example of how their current level or amount of manpower they aren't capable of defending the website adequately enough. Tricky balance though.
Dealers lost out, SR lost out, and addicts didn't get their fix.
-
does the "withdraw bitcoins" option send them to an offsite address?
thanks.
/thumbs
-
Has anyone managed to deposit coins into SR today?
Also had trouble getting to the log in page a few times, tried it a minute later and I didn't even need to log in, went straight to the home page, which is bit concerning.
I was able to make a deposit earlier today. It took a little over an hour when usually it takes 45 mins and under.
-
I'm surprised why SilkRoad hasn't taken the site offline to fix the issue, I appreciate it's almost christmas and it's a very profitable time of year but the site is clearly compromised. I know it's been said before, nobody can process an order in the legit way because the postage options have been taken down, what's the point of keeping the site up if you can't place an order? Unless there's any way vendors can upload new pictures overwriting the hackers watermarks and readd the postage options? Over the past few hours I can see it's getting worse, fingers crossed the SilkRoad team resolves this quickly, this is madness :o
-
Don your tin foil boys! DPR will make this right. I gave my customers the OPTION to buy on BMR until this is addressed so that they can rest easy but at the same time I am not worried enough to pull out my coins in a mass hysteria. Plus if my buyers would simply pgp this would be a moot issue. Too bad around 80 percent of my orders are cleartext. /facepalm
-
Has anyone managed to deposit coins into SR today?
Also had trouble getting to the log in page a few times, tried it a minute later and I didn't even need to log in, went straight to the home page, which is bit concerning.
I was able to make a deposit earlier today. It took a little over an hour when usually it takes 45 mins and under.
Thanks for that.
Not needing to log in has happened twice now. Going to avoid the site for a few days to be on the safe side, could be a completely innocent reason for it but better safe than sorry.
-
I just wanted to say that throughout this whole situation I was able to order from a top 5% dealer with a listing that was under attack... everything so far has seemed to flow smoothly so I will keep you all posted on the final result !
-
does the "withdraw bitcoins" option send them to an offsite address?
thanks.
/thumbs
Just posting here to confirm that I was able to withdraw bitcoins to personal wallet until things are resolved. Whoever posted above about the insufficient funds msg -- you can withdraw 15.07432 bitcoins, but can't really get the exact amount you have in SR because they round the number to the nearest .01 in $$. I had something like 20.07 BTC, and just withdrew 20.065 and it worked fine.
I'd also echo the sentiments re: timing -- how horrible right when everyone is putting in their orders to arrive before the weekend...
I have some faith that things will be restored in due time... hopefully sooner than later.
I think that's the only confirmed withdrawal.
I'm surprised why SilkRoad hasn't taken the site offline to fix the issue, I appreciate it's almost christmas and it's a very profitable time of year but the site is clearly compromised. I know it's been said before, nobody can process an order in the legit way because the postage options have been taken down, what's the point of keeping the site up if you can't place an order? Unless there's any way vendors can upload new pictures overwriting the hackers watermarks and readd the postage options? Over the past few hours I can see it's getting worse, fingers crossed the SilkRoad team resolves this quickly, this is madness :o
Wondering that myself :-\
-
I know it's been said before, nobody can process an order in the legit way because the postage options have been taken down, what's the point of keeping the site up if you can't place an order?
We believe that some people have not been hit by the hack, scam, attack. We actually just received our first paid order, so some people have access and can still place orders.
-
for what it's worth i can still see normal postage options for certain listings (which i won't name in an admittedly uneducated attempt to not draw attention to those listings).
:)
-
We believe that some people have not been hit by the hack, scam, attack. We actually just received our first paid order, so some people have access and can still place orders.
+1, I was about to process an order earlier this morning because the vendor's postage options looked like they were working fine. Ultimately I decided to just wait until this all passes because I'm in no hurry (I even sent my BTC to an off-site wallet for the time being).
-
Hello,
Just posting here to confirm that I was able to withdraw bitcoins to personal wallet until things are resolved. Whoever posted above about the insufficient funds msg -- you can withdraw 15.07432 bitcoins, but can't really get the exact amount you have in SR because they round the number to the nearest .01 in $$. I had something like 20.07 BTC, and just withdrew 20.065 and it worked fine.
I'd also echo the sentiments re: timing -- how horrible right when everyone is putting in their orders to arrive before the weekend...
I have some faith that things will be restored in due time... hopefully sooner than later.
I think that's the only confirmed withdrawal.
I can also confirm a successful withdraw, but it took very long like 1 hour and has 1 confirmation now.
-
First of all, whoever believes this quickbuy deserves to get scammed. It looks like it has been made on paint for crying out loud. If they aren't smart enough to realize it's a scam then they shouldn't even be using the website. Also, thank jesus for encryption, i feel bad for those fuckers who don't encrypt their address.
SR needs to shut down temporarily, i can log in but it takes 15 minutes to load a full page.
-
We believe that some people have not been hit by the hack, scam, attack. We actually just received our first paid order, so some people have access and can still place orders.
I found out on Shroomeister's thread http://dkn255hz262ypmii.onion/index.php?topic=94392.0 uploading new photos won't make a difference as the hackers will overwrite them. Seems like most of the major vendors are being attacked whilst the lesser known/newer vendors are clear for now. I still don't get the point of having SilkRoad online when it's in such a shambolic state, if they took the site down a few days ago due to an influx of newbies certainly this is a good enough reason to do the same? It's making feel very uneasy, I'm keeping off the marketplace until normal service has resumed.
-
...I wish Pine were here to offer his opinion.
-
First of all, whoever believes this quickbuy deserves to get scammed. It looks like it has been made on paint for crying out loud. If they aren't smart enough to realize it's a scam then they shouldn't even be using the website. Also, thank jesus for encryption, i feel bad for those fuckers who don't encrypt their address.
SR needs to shut down temporarily, i can log in but it takes 15 minutes to load a full page.
I really cannot believe so many people think that just because you said in your address and PGP format that you are protected you feel sorry for the people who don't use encryption I feel sorry for you that you actually think that just because you have a PGP formatted encryption being sent to a vendor protects you how do you know the vendor is who he says he is and not EL.
did you think that the authorities don't know what PG Key encryption is then you are just talking out your ass.
If the authorities bust the vendor the first thing they're going to do is make him give up the PGP key and at that point your fucket
This has happened before on silk Road and it will happen again
if you are looking for a more secure way to buy marijuana and marijuana only as this is the only connection I know of from this website who used to be a vendor here the closest store because of the lack of security with silk Road
PM ME
-
nobody fell for it.... go check the blockchain of that address
there have been 0 transactions
<clearnet>http://blockchain.info/address/1X7ePX18AaiGVce7vc35JbK5XSx2XyWGQ</clearnet>
-
right right... <sarcasm>
-
First of all, whoever believes this quickbuy deserves to get scammed. It looks like it has been made on paint for crying out loud. If they aren't smart enough to realize it's a scam then they shouldn't even be using the website. Also, thank jesus for encryption, i feel bad for those fuckers who don't encrypt their address.
SR needs to shut down temporarily, i can log in but it takes 15 minutes to load a full page.
I really cannot believe so many people think that just because you said in your address and PGP format that you are protected you feel sorry for the people who don't use encryption I feel sorry for you that you actually think that just because you have a PGP formatted encryption being sent to a vendor protects you how do you know the vendor is who he says he is and not EL.
did you think that the authorities don't know what PG Key encryption is then you are just talking out your ass.
If the authorities bust the vendor the first thing they're going to do is make him give up the PGP key and at that point your fucket
This has happened before on silk Road and it will happen again
if you are looking for a more secure way to buy marijuana and marijuana only as this is the only connection I know of from this website who used to be a vendor here the closest store because of the lack of security with silk Road
PM ME
Will you ever fuck off with this shit? No one here is going to RING YOU on your burner, stop jamming up the threads
-
There is a different address on each listing so the blockchain information shows nothing about the overall scam.
-
Has anyone managed to deposit coins into SR today?
Also had trouble getting to the log in page a few times, tried it a minute later and I didn't even need to log in, went straight to the home page, which is bit concerning.
I've added and withdrawn funds today, and at least one was after this whole mess. Seems consistent with others saying that accounts aren't in jeopardy, but until I can actually place an order, I moved them off the site and back into the wallet until further notice... worth the .01 in transfer fees for the peace of mind.
-
I was able to deposit funds without any issue. I didn't know there was anything going on until after I got my BTC and started looking at what I wanted to order. Messaged a vendor asking what the Quick Buy deal was all about until I noticed it all over and found info here.
So no, it doesn't appear they have access to account. If they did, our money would be gone, they wouldn't be hoping people would randomly send to these addresses in the pictures. I'm sure some have, but hopefully they didn't make much off it.
Still bothered there has been no word from anyone of some power about this. I think it's because DPR is compromising someone's mother's vaginas as per another thread lol.
-
First of all, whoever believes this quickbuy deserves to get scammed. It looks like it has been made on paint for crying out loud. If they aren't smart enough to realize it's a scam then they shouldn't even be using the website. Also, thank jesus for encryption, i feel bad for those fuckers who don't encrypt their address.
SR needs to shut down temporarily, i can log in but it takes 15 minutes to load a full page.
I really cannot believe so many people think that just because you said in your address and PGP format that you are protected you feel sorry for the people who don't use encryption I feel sorry for you that you actually think that just because you have a PGP formatted encryption being sent to a vendor protects you how do you know the vendor is who he says he is and not EL.
did you think that the authorities don't know what PG Key encryption is then you are just talking out your ass.
If the authorities bust the vendor the first thing they're going to do is make him give up the PGP key and at that point your fucket
This has happened before on silk Road and it will happen again
if you are looking for a more secure way to buy marijuana and marijuana only as this is the only connection I know of from this website who used to be a vendor here the closest store because of the lack of security with silk Road
PM ME
yeah ur a jack ass dude fuck off the forms ur annoying u aint shit u think u know everything ..
there is a risk with venders not deleting there shit but whatever im taking that
i only fuck with big tym venders and im sure they dont have the computer where the drugs are
and if they get busted wtf makes u think they are gunna come after EVER SINGLE BUYER are u retarded?
THEY ARE LOOKING FOR THE VENDER THEY BUST BUYERS TO GET TO VENDERS UR A FOOL
sure they would look at it but once the vender is gone they have enough on there hands fuck off loser
-
First of all, whoever believes this quickbuy deserves to get scammed. It looks like it has been made on paint for crying out loud. If they aren't smart enough to realize it's a scam then they shouldn't even be using the website. Also, thank jesus for encryption, i feel bad for those fuckers who don't encrypt their address.
SR needs to shut down temporarily, i can log in but it takes 15 minutes to load a full page.
I really cannot believe so many people think that just because you said in your address and PGP format that you are protected you feel sorry for the people who don't use encryption I feel sorry for you that you actually think that just because you have a PGP formatted encryption being sent to a vendor protects you how do you know the vendor is who he says he is and not EL.
did you think that the authorities don't know what PG Key encryption is then you are just talking out your ass.
If the authorities bust the vendor the first thing they're going to do is make him give up the PGP key and at that point your fucket
This has happened before on silk Road and it will happen again
if you are looking for a more secure way to buy marijuana and marijuana only as this is the only connection I know of from this website who used to be a vendor here the closest store because of the lack of security with silk Road
PM ME
Will you ever fuck off with this shit? No one here is going to RING YOU on your burner, stop jamming up the threads
If there is one plus side to these episodes it's the influx of 'experts' with their never ending diatribe of factual bullshit. Last time SR went we had mtljohn hogging the airwaves along with many other tin foil clad fucktards creating thread after thread re their assessment of things, I have to say it makes not being able to buy drugs online slightly more bearable but only for a day or two then it gets quite tiresome.
@420SLINGER you go son! keep up the predictions 8)
*please note hint of sarcasm*
-
I very much doubt LE committed what appears to be a minor security breach, I personally would rather some script kiddie fucked around with some pictures and the holes get fixed rather than the DEA exploiting them in other ways. This site is a new thing and as somebody pointed out else where you cant just put out an add for coders etc... I for one expect these issues, its part and parcel of this game but what we do NEED is updates. Updates reassure people that somebody is actually bothering to take care of things. We do not receive enough of these and this is a real issue atm as an update takes a few minutes of somebody's time.
-
First of all, whoever believes this quickbuy deserves to get scammed. It looks like it has been made on paint for crying out loud. If they aren't smart enough to realize it's a scam then they shouldn't even be using the website. Also, thank jesus for encryption, i feel bad for those fuckers who don't encrypt their address.
SR needs to shut down temporarily, i can log in but it takes 15 minutes to load a full page.
I really cannot believe so many people think that just because you said in your address and PGP format that you are protected you feel sorry for the people who don't use encryption I feel sorry for you that you actually think that just because you have a PGP formatted encryption being sent to a vendor protects you how do you know the vendor is who he says he is and not EL.
did you think that the authorities don't know what PG Key encryption is then you are just talking out your ass.
If the authorities bust the vendor the first thing they're going to do is make him give up the PGP key and at that point your fucket
This has happened before on silk Road and it will happen again
if you are looking for a more secure way to buy marijuana and marijuana only as this is the only connection I know of from this website who used to be a vendor here the closest store because of the lack of security with silk Road
PM ME
yeah ur a jack ass dude fuck off the forms ur annoying u aint shit u think u know everything ..
there is a risk with venders not deleting there shit but whatever im taking that
i only fuck with big tym venders and im sure they dont have the computer where the drugs are
and if they get busted wtf makes u think they are gunna come after EVER SINGLE BUYER are u retarded?
THEY ARE LOOKING FOR THE VENDER THEY BUST BUYERS TO GET TO VENDERS UR A FOOL
sure they would look at it but once the vender is gone they have enough on there hands fuck off loser
You're right that they're not gonna track down every single buyer, but as we've already seen any type of SR bust is publicized to the full extent.
they will be wanting to use scare tactics to discourage buyers.
-
I very much doubt LE committed what appears to be a minor security breach, I personally would rather some script kiddie fucked around with some pictures and the holes get fixed rather than the DEA exploiting them in other ways. This site is a new thing and as somebody pointed out else where you cant just put out an add for coders etc... I for one expect these issues, its part and parcel of this game but what we do NEED is updates. Updates reassure people that somebody is actually bothering to take care of things. We do not receive enough of these and this is a real issue atm as an update takes a few minutes of somebody's time.
+1, uncommented
-
Well it doesn't seem like anyone's money has gone missing and some vendors' listings are working. I am going to move back my BTC in the morning and put in an order in the morning if the shit hasn't hit the fan by the time I wake up.
-
I contacted vendor support about this 10 hours ago and 8 hours ago I received the response:
"we are looking into it.
~SR Support"
Very surprised to not have heard from any admins about this, or a warning on the SR itself. I took all my listings down 10 hours ago.
-
Very surprised to not have heard from any admins about this, or a warning on the SR itself. I took all my listings down 10 hours ago.
Inigo has made a stickied thread 'DO NOT SEND COINS TO "SR QUICK BUY" ADDRESS' http://dkn255hz262ypmii.onion/index.php?topic=94412.0
-
To our customers:
We were affected by this. It was a hack, as you realize if you're reading this. We have deleted the images, re-posting our clean versions. The hackers do not seem to have access to anything but the image files, and changes have been made it appears, to allow shipping updates, which we've also fixed.
Please contact SR Support with any questions/concerns. We are unaware of anyone who fell for this, but if you did, there's nothing we can really do to help, unfortunately. Hope nobody got got!
Best,
Purest
-
My listings have been affected by this. I can confirm what was reported earlier; the altered images will return and shipping options will be deleted, even if the listings are manually fixed. I have been able to withdraw coins from the site still and I would ask that anyone who has an outstanding order with me, to finalize early. All placed orders have been sent and will be arriving within 2 days, but I would feel a little better not having money in escrow. It does take about 20-30 minutes for the listings to be corrupted and the site appears to be working normally, otherwise. If anyone is comfortable ordering, I will try to keep my listings clean, with shipping options. I will ask that you finalize early, but I will be able to get orders out before Thursday so they'll arrive by Saturday.
Lastly, I have total faith in the Dread Pirate Roberts and so should you. I could write several paragraphs on why that is, but will save you all the time. This is certainly disconcerting and a large nuisance, as well, but it could be far worse and I'm confident that DPR will come through.
-
CalifornicationBuds, what if you post a listing with no image? Will the shipping options get changed?
Also, despite your unwavering faith in DPR's ability to fix this, I find it mildly disturbing that they've known about it apparently for at least 12 hours and haven't been able to remove the malicious code.
-
"CalifornicationBuds, what if you post a listing with no image? Will the shipping options get changed?"
That is a fine question. The image and shipping have actually not been changed since I last fixed them, which was about 25 minutes ago. I am going to leave them for now, in hopes that they remain as they should, but if it happens again, I will post a listing with no image and report back. I have a feeling the same thing would happen, or at the very least the shipping would still be deleted.
-
Thanks, please update in this thread if you end up doing that.
-
"CalifornicationBuds, what if you post a listing with no image? Will the shipping options get changed?"
That is a fine question. The image and shipping have actually not been changed since I last fixed them, which was about 25 minutes ago. I am going to leave them for now, in hopes that they remain as they should, but if it happens again, I will post a listing with no image and report back. I have a feeling the same thing would happen, or at the very least the shipping would still be deleted.
Well, there it goes, not 3 minutes after I posted that. I will create a test listing now and report back with any useful info.
-
Even if it's a listing w/no picture they can change it. I had a listing w/o one so they put up an image of some molecule with the quickbuy attached.
-
Ain't that a bitch. :(
-
Fuck me - got a call out - bribed with a cash incentive and a day off on pay so I'm in work of all places and with a tech guru who also partakes in the delights of SR. He basically hoovered up some yayo I got off here, swore it was the best since business in Mexico! He will share his with me - just offered but I don't doing coke in work. He does, and has, so its a bit of a party here!
Anyway, to this hack.
I'm a learner, know a few codes and understand how these sql injection attacks work on a basic level.
We have decided that this was on the cards. SR, no matter how good it is, faces some VERY clever hackers and its all over the world now! The Russians used to take Windows apart whilst we simply just used it. They looked under the engine, as did China. We even have kids who can, by means of downloading a few kits, get up to chaos!
But this is not kids. Nor is it LEA but it could be security services, having a work out or using that old excuse 'related to terror funding'. I would imagine any of the main nations have people who could get into SR because whilst SR might be built and maintained by a team of maybe half a dozen, the states have thousands of programmers and dozens of almost genius level coders.
My guess is that this is just a gang of hackers who have several operations on the go always and SR has been studied for weaknesses and even simulated so the hackers can get in, grab the coin, and move our before the site had to be closed for maintenance.
Russians, Israelis, Europeans, Americans, anyone can be a suspect. They know they are hitting a site which cannot ask the police to help and therefore its not even high risk! In fact, every hacker who buys drugs off here will have studied the code. We studied it, not to hack, just to see how safe things were. So far, given its status, SR support staff have been brilliant.
I knew we would see some people lose coin this Christmas, mainly with the usual vendor seeing too much money given to him/her by strangers! Christmas last rush buys!
I am afraid some people will have gone for this easy buy option, sadly, SR can do nothing there. We all know that buying here is a risk anyhow. But, if the hack does develop into milkjing the actual funds here, and not just using the bait of no postage option and a 'Quick Buy' offer, then moving funds out is a good idea!
I have advised people I know to not move out and am messaging a few less than tech savvy buddies to watch out for this quick buy!
I know people who would certanly assume the quick buy is a legit SR function. Anyone new here will not know about how to order. The hack might be just to milk a few hundred/thousand out of new buyers here or old ones desperate to grab that last minute present for someone!!!
I had a vendor message me and ask for me to FE. I NEVER FE, but given the situation, I decided I will FE if the vendor sends an encrypted message. The message to pay may be the next stage in the hack - so if the vendor sends me an encrypted request, I know its not the hackers! They may be good but no way can they grab the private key needed to create a message from specific vendors.
Just in case the message is a hack, here is what it says........
_____________start of message____________________
"dear customer.
due to the current problems with sr, I have to ask for FE.
You can be sure, your order arrives safely. It is already packed and was already on the way to the postbox.
But. there was a hack to sr which is not so big, but still, its a hack. you can read more: (http://dkn255hz262ypmii.onion/index.php?topic=94315)
Dont worry, you order is already processed, as I said. But I do worry about the payment which is hold in escrow on sr. I don't want it to rest for days on sr now. please understand. I have many orders and that is much money.
So, I can only send your shipping, when you finialize early and I get my bitcoin "
___________________ End of message_______________________________________
Now, what strikes me as strange is the fact I ordered last night (Tuesday) and the message says my order is already packed on on the way to the postbox. Then it says "I can only send your shipping when you finalize early and I get my coin"
Does not make sense, unless my order, is wrapped, addressed, (and its tracked also, can you do that at night in Germany?) So - if I don't pay, then what? Its not posted? Wrapping taken off?
I want an encrypted message before I release funds. Maybe releasing funds is how the hack also works.
The vendor is atlas2012, fair trade hash. May be genuine, a message written in haste, and under the circumstances, I need a heart to heart with the tech guru who ordered way back for Christmas. Other people I know order now for Christmas! What is it with English people and the last minute buying of the Christmas and New Year stash? lol.
Anyhow, lets hope the SR team get on top of this. Sorry if I seem blase about this but I really hope the customers here are not seeing funds stolen.
Also, it would be foolish to order something right now as giving out your addy, during any hack, its unwise.
Good luck everyone, and looks like the SR tech team gonna earn their coin getting this one sorted out!
May be nothing, but would I leave thousands of dollars in a compromised site? No.
So, should I finalize? And if something is on the way to the post box,and someone is asking to pay before its posted, is this actually showing a lack of social graces? Not sure right now - I'm not a vendor but I guess many might ask for finalize right now as if funds in escrow can be grabbed, that would a LOT of coin go and a lot of people pissed off for Christrmas!
I know a vendor here but he/she will be asleep. Not sure how they will deal with this.
On a bright note I'm on double time and got a bonus in my work but we sorted the problem in a few mins and are now talking about 'the SR hack' and have emailed a few people we know are naive enough to release funds to this 'quick buy'. We found some coffee and are currently smoking some hash. Still dark outside but we can see the distant glow of a major city.
Good luck all.
Hope my order gets through, I always have a fine selection of hash at Christmas, usually go to Hiolland and stuff an ounce, of bits and pieces of top hash and use stealth methods to bring it across the border.
Down my underpants.
;D
We only get fined if caught.
But now, we post and never lost anything also.
Going to Holland soon anyway, love the Grey Area unless they gone commercial. Go to mostly Dutch and a few Morrocan cafes off the beatemn track. All owned by someone called Mohammed! At least its easy to remember the names of the cafe or shishka bars and cafes.
Hope nobody gets hit too hard.
In some ways, I admire the skills, but stealing off people, its actually wrong and those trying to seperate our coin from us all are not very nice people.
Will be on this first thing in the morning, we are calling it a day now but book in to 6.30am. Back up at 10am! Ah well, fuck it, tghis weekend I got some mdma and lsd. Cannot wait! Hope all is well with SR by tomorrow.
Red.
-
Private Listings seem to be unaffected by the hack and the site is working properly, other than the shipping and images. I still will ask for early finalization, just to be safe, but if you look at my vendor page, you'll feel very secure in doing that. As soon as the order is finalized, you can know that it will go out as soon as possible. Right now, as a test, I'll be offering 1/8 and 1/4 oz listings.
1/8
http://silkroadvb5piz3r.onion/silkroad/item/9ce7beec54
1/4
http://silkroadvb5piz3r.onion/silkroad/item/3a3068e01b
Lastly, I encourage people to stop freaking out. DPR is the man.
-
_____________start of message____________________
"dear customer.
due to the current problems with sr, I have to ask for FE.
You can be sure, your order arrives safely. It is already packed and was already on the way to the postbox.
But. there was a hack to sr which is not so big, but still, its a hack. you can read more: (http://dkn255hz262ypmii.onion/index.php?topic=94315)
Dont worry, you order is already processed, as I said. But I do worry about the payment which is hold in escrow on sr. I don't want it to rest for days on sr now. please understand. I have many orders and that is much money.
So, I can only send your shipping, when you finialize early and I get my bitcoin "
___________________ End of message_______________________________________
this is atlas2012,
I wrote this message to my clients who ordered today.
Your shipping was already processed, and in my to-go-bag. then I discovered the hack and decided not to send all orders without fe.
And yes, its already wrapped. and if no fe, I would have to unwrap it...
I have so many coins in escrow, that I cannot risk any more.
If sr get hacked completely, all my winnings would be lost. an my serious work here would be for nothing.
please understand my point. for you as customer, its only about one order.
we as vendors have many many orders in escrow and are much more concerned about the safety-status of sr than you can possibily imagine.
but I am sorry for irritating you with that message.
check out my reviews and forum. I will not rip anyone. not my style.
peace and love to the sr stuff,
may the force be with you.
-
Very strange, I don't think anybody on here is stupid enough to make that mistake..
Dear sir, never underestimate the power of stoopid!
-
_____________start of message____________________
"dear customer.
due to the current problems with sr, I have to ask for FE.
You can be sure, your order arrives safely. It is already packed and was already on the way to the postbox.
But. there was a hack to sr which is not so big, but still, its a hack. you can read more: (http://dkn255hz262ypmii.onion/index.php?topic=94315)
Dont worry, you order is already processed, as I said. But I do worry about the payment which is hold in escrow on sr. I don't want it to rest for days on sr now. please understand. I have many orders and that is much money.
So, I can only send your shipping, when you finialize early and I get my bitcoin "
___________________ End of message_______________________________________
this is atlas2012,
I wrote this message to my clients who ordered today.
Your shipping was already processed, and in my to-go-bag. then I discovered the hack and decided not to send all orders without fe.
And yes, its already wrapped. and if no fe, I would have to unwrap it...
I have so many coins in escrow, that I cannot risk any more.
If sr get hacked completely, all my winnings would be lost. an my serious work here would be for nothing.
please understand my point. for you as customer, its only about one order.
we as vendors have many many orders in escrow and are much more concerned about the safety-status of sr than you can possibily imagine.
but I am sorry for irritating you with that message.
check out my reviews and forum. I will not rip anyone. not my style.
peace and love to the sr stuff,
may the force be with you.
Why not just move your coins to a wallet on your P.C.? I would never leave my coins sitting in my SR wallet, in case anything ever happens. I only transfer coins to my SR wallet when making a purchase.
-
Why not just move your coins to a wallet on your P.C.? I would never leave my coins sitting in my SR wallet, in case anything ever happens. I only transfer coins to my SR wallet when making a purchase.
I am talking about the coins which are in escrow until the customer "finalises" his order.
these coins, cannot be transfered to another wallet (until finalise).
-
Why not just move your coins to a wallet on your P.C.? I would never leave my coins sitting in my SR wallet, in case anything ever happens. I only transfer coins to my SR wallet when making a purchase.
I am talking about the coins which are in escrow until the customer "finalises" his order.
these coins, cannot be transfered to another wallet (until finalise).
Ooops!! Sorry about that. :)
-
We have had two pictures compromised and had to re-add shipping options three times now. Other than wait and see, any other suggestions on how to avoid this issue?
-
Does this quick-buy have any effect on the security of my order, I was just about to place an order, does anyone know if its safe?
-
We have had two pictures compromised and had to re-add shipping options three times now. Other than wait and see, any other suggestions on how to avoid this issue?
I can confirm that private listings do not work. The only other way that I can see would be to send the coins directly, via user name or btc address and send the address as a message. At this point, btc address would be much safer. This is against site rules and would normally get you banned, but I doubt that DPR would ban anyone who did that during this time. Obviously, it's also risky for buyers, but that risk would be up to them.
-
I just wanted to say that I deposited money into SR today and it took 1.5 hours to get from instawallet to SR (which is the usual amount it takes for me to get a deposit on SR), so no worries there. I just placed an order and had no problems. I wouldn't panic and start cancelling orders and withdrawing all your BTC just yet. Everything seems fine. The vendor I just bought from had their most popular listings compromised by the hackers watermark (and the shipping options disappeared), but either they or the SR admins fixed something, because the shipping options reappeared and the watermark disappeared and I was able to order like normal.
-
Does this quick-buy have any effect on the security of my order, I was just about to place an order, does anyone know if its safe?
haha let us know how it goes!
-
Just noticed this on a few of our listings, reloading images, and updating postage options.
We will see how long it stays. This pisses me off, some peoples kids....
Cheers,
NWD
-
Does this quick-buy have any effect on the security of my order, I was just about to place an order, does anyone know if its safe?
haha let us know how it goes!
I have a theory that "Fuck DPR" is some fat 16 year old kid who tried to order off of SR but his mom opened his mail and grounded him. He got angry at the vendor for not giving him a refund afterwards, and now spends his days on the computer in the basement, hating on SR and eating Doritos.
-
We went ahead and added additional listings without pictures - maybe that will work until the problem is resolved completely. We have been able to get orders, but keep having to add the postage options back on. If any of our clients are concerned that their order may not have been received, PM us and we will let you know.
-
This sounds like a mass assignment attack, rather than SQL injection, IMO. The attacker could simply have an item of their own with zero postage options, then changes the victim's item's foreign key to point to his own postage options, all by simply changing the POST params.
-
DPR just chimed in with a thread: http://dkn255hz262ypmii.onion/index.php?topic=94596.msg669418#new
NWD