Reddit user known as /u/t0mcheck publicly disclosed “crippling” vulnerabilities in two darknet markets: DHL and Sourcery Market. As usual, the posts increased the number of heated conversations between users and moderators. Eventually everything came down to DHL. According to a DHL representative, was not new to marketplace staff—they had known for two years. Now, along with Sourcery Market, both marketplaces vanished.
Either may come back, but Reddit users called exit scam. “Yeah, I don’t think we’ll see them around anymore,” one user wrote.
As of August 5, the two stickied posts in that subreddit are market warnings. One post is the vulnerability disclosure of both marketplaces. The second, though, is a post titled “DHL Market – Current problems – Consider avoiding right now.” The vulnerabilities were serious enough to warrant the removal of the formerly stickied post about a significant number of Dream vendor accounts that the Dutch National Police controlled.
The Reddit user behind the disclosures claimed the DHL vulnerabilities took only 60 minutes to find. In the Gist, he published three major issues.
- Vulnerability 1: Reflected XSS in Main Search
- “XSS in main search field. Does not filter any characters”
- Vulnerability 2: Persistent XSS in PGP key upload
- Vulnerability 3: Persistent XSS In Support Forum
- “While reporting the last two bugs to support I noticed that pasting in the vulnerable code triggered an XSS in the support forum.”
The cross-site scripting in the main search drew attention, especially from the DHL “hidden moderator” account. The mod, under the handle “DHL-3,” pointed out that an entity had already created a forum post regarding the XSS vulnerability. The Reddit users exchanged words, another penetration tester verified the XSS vulnerabilities, and then t0mcheck dropped another surprise on the subreddit.
In “DHL Market Security Part 2,” t0mcheck expressed a new level of discontent with DHL admins and the subreddit moderators. “[We] are now disclosing that the market contains a very simple bug that allows anybody to read any message on the site. [Gist link…],” the user wrote.
“The administrators of DHL have not replied to any of our previous reports nor messages and it has been over 48 hours,” the entity wrote. “One more note – we are not going to put up with shit from admins, paid spokespeople or shill moderators any longer.”
In the Gist, the “watchful community member” outlined the process required to read any messages on the site. And he did. At roughly the same time, an I.P. address that connected to DHL surfaced. Accessing the site from the I.P. address allowed users to log into DHL. Oddly, some users could change their passwords on the DHL forums via the official hidden service and then use their old passwords to log into the marketplace via the clearnet server.
In the recent past, a hacker known as “Cipher0007” demolished Sanctuary Market, shutting it down prior to a true launch. The market was beyond repair, the hacker explained. A moderator of the darknetmarkets subreddit banned an account claiming to be Cipher0007 for posting “fake” I.P. addresses.
A post later appeared on the DHL forums that confirmed the I.P. leak as legitimate. The announcement reported “good” news: that DHL admins were about to launch a new version of the marketplace. The I.P. address was a test server for DHL admins, SeriousSam wrote in the forum post.
The announcement is as follows
“A few more hours and we [will] have an answer to everything in its entirety. But we also have very good news. We are deploying the new market where everything is fixed earlier than we wanted e.g not feature complete. But what can we do 😦 The IP leak is true. That was one of our test servers. But we killed everything already and besides some fresh loaded but now worthless virtual credit cards nothing is left 😦 Apparently we had a traitor in our midst. The person doing various tests for us after each new version. Looks like he sold this info to the highest bidder. But encryption worked. Manual and automatic. Our system does not allow for any code changes inside read-only containers besides a signed push from our servers.
But yeah, we fucked up here. Gotta admit that for sure. But we’ll make very good on this within 24hours, I hope.
EDIT: Support will fix issues soon again. And we are waiting for a fresh btchost to complete syncing before we process payments again. But that should be only max 10-12 hours. Usually we have emergency machines around but we decided to burn everything for the redeployment. – SeriousSam