14 DAY TRIAL // AlphaBay, one of the largest Dark Web marketplaces, had one big security issue, allowing hackers to view private conversations.
One researcher disclosed the existence of this particular vulnerability after testing it out and finding that he could steal over 200,000 private messages exchanged between users and sellers. AlphaBay patched things up, and the man got rewarded for choosing to disclose the problem.
Reddit user Cipher0007 warned AlphaBay admins about the flaw, but his tickets went ignored for a while. Then, he went on to demonstrate his findings to DarkNetMarkets mods on Reddit, claiming that he created a bot which helped him collect all the messages above.
AlphaBay eventually paid notice to the researcher, patched the vulnerability and paid Cipher0007, before giving an explanation. According to the marketplace, the PMs that were obtained were not older than 30 days, as those older than that are automatically purged. The attacker, they said, also obtained the list of user IDs and usernames and nothing more, such as passwords, BTC addresses or order information.
As if to contradict the AlphaBay admins, screenshots posted by Cipher0007 expose private messages containing sensitive information, including first and last names, nicknames, addresses, package tracking numbers and so on, everything that wasn’t protected by PGP keys. That’s a lot more than AlphaBay admitted to.
Marketplace to members: Encrypt your messages
AlphaBay suggests that while this time nothing bad happened, since this was a researcher who found the vulnerability, users should still remember to always encrypt their sensitive information for obvious reasons. They claim they have done their best to make the website as safe as possible, but given its profile, it’s bound to attract hackers and penetration testers.
The darknet marketplace has been around since 2014 and has since grown into one of the largest in the world. It allows users to buy and sell various types of items, mostly the kind you won’t see on Amazon - stolen personal information, payment card data, and so on.
Law enforcement has been targeting customers of AlphaBay for a long time, one vendor even ending up in jail for selling stolen information. This isn’t something uncommon, however, since law enforcement offices around the world have been working to take down such marketplaces for many years, but catching sellers and buyers is a lot more difficult given the anonymity that comes with the dark web.
Information like the one Cipher0007 had would have been a goldmine for the police.