One of the most popular black marketplaces, the AlphaBay, is affected by a serious flaw that could expose the private messages of its users. One year ago the operators behind the black market launched a fully automatic credit card shop and enforced two-factor authentication for all its sellers.
Last week, AlphaBay launched an API that allows its users to pull details from their accounts without logging. Unfortunately, the mechanism was affected by a serious issue that allowed an attacker to obtain the private messages of any user.
The access to private messages could reveal sensitive information sales and negotiations conducted by users, in some cases might provide details for their identification.
The alarm was triggered by a user on Reddit that reported the dangerous bug, he also published several messages sent by AlphaBay users.
The new API feature allows to fully control their messages, check their balance, withdraw funds, and check their orders and sales.
The user also claimed to have had access to the physical address of same users from the messages because they hadn’t encrypted the messages.
“So I enabled the API and turns out when I query my messages I get someone else’s in return, mixed with my own messages,” stated the user.
“congrats for finding the messages bug. you can view messages of any user by just changing the message id. if they don’t fix this quick enough i could just scrape every PM” was the reply of another Reddit user.
“Only the minority of messages are encrypted with PGP. This is the reason you ALWAYS encrypt all comms with a vendor, because of stuff like this,” aboutthednm wrote, adding that he had also seen moderator communications.
In order to access the messages the attacker has to enable API on his account, use the API to retrieve the PrivateMessaage and simply change the message id, as reported below:
Fetch conversations, or other profile info, for example pic.twitter.com/SDNKsTWZX5
— Joseph Cox (@josephfcox) 26 aprile 2016
The Reddit user alphabaysupport confirmed the existence of the security issue and user that has discovered the bug will be awarded for its discovery.
“Sorry to break the party, the vulnerability has been patched. Only conversations from 1 to 13,500 (out of 1,067,682) were read, which is around 1.5%, and were all over a year old,” the account wrote. “This was indeed a serious problem, but got caught on time.” (Some message IDs in the screenshots posted by aboutthednm go far beyond that number, such as 77,232, and the user said that message ID 1,067,440 was the latest that they got to download.)”
Joseph Cox from MotherBoard obtained further information from an AlphaBay manager on encrypted chat. The manager of the black market confirmed that a single API key was used to scrape the data. Likely only 1 or 2 people have accessed the data.
The manager explained that only old messages were accessed by the people. Others are concerned that law enforcement may have quickly exploited the vulnerability to access a wealth of messages.
What about the law enforcement has exploited the bug?
(Security Affairs – AlphaBay, Dark Web)