|
Title: Silk Road compromised? Post by: Spekulatius on December 19, 2012, 03:56:41 AM Looks like SR has been partially compromised by means of SQL injection. Damage limited so far, but who knows whats next!
http://www.reddit.com/r/SilkRoad/comments/151sok/sr_quick_buy_is_a_scam/ Thoughts, updates? Title: Re: Silk Road compromised? Post by: rat on December 19, 2012, 05:10:40 AM the future of silk road will soon possess bigger problems than that. Title: Re: Silk Road compromised? Post by: adamstgBit on December 19, 2012, 05:14:48 AM its hard to believe SR did not protected its database from SQL injection...
my guess is some silly JavaScript or CSS trickery. not a major problem... and not hard to solve. Title: Re: Silk Road compromised? Post by: MPOE-PR on December 19, 2012, 08:27:50 AM Message from Dread Pirate Roberts (owner): Quote -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey gang, I'm aware of the image hack that has taken place and am working with my team to fix the issue. Whoever was able to pull it off was is very skilled and clever. Hopefully no one has fallen for it and sent money to any of these mystery addresses in the images. So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked. I have switched the default view for all accounts to "incognito" so images won't show up. Also, it is looking like we will most likely lose the defaced images, so those will need to be re-uploaded. I'm terribly sorry for the trouble this is causing, and we will get it cleaned up asap. - -DPR -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJQ0V3+AAoJEAIiQjtnt/ol61wIAJgLMU7G9afQIPcEP11QQUfu nvYAnM+BGsh6U/I65r5p7WzoLlIWTl+1mRIg3YNXMT/6UTphOMFKOv6/XXJig5o/ edja/1+5UJhLeOpXNuDlJDrLJqFGqGKu/swIn0rT2AmmxrgBcXYX+QUnoEZ4lJct qMcKVX/j6PnWoT62RfmS5cirvbR7R6DB/ahzaVlihjx+XYzw5PiSmPthivQlUiLB 9XWibiO73kxq2cw/+hVvnhHFKbME1Ima1Q/JVX0knY+oAXIW0jeTrg7irDlg7ObL Xn/w8WJ4GQ+qUkKn/jaY8Im3sFWLXDzWgC+VAAhmatEn49eSraVFA7kVX91tF6Q= =LZjl -----END PGP SIGNATURE----- It was SQL injection. The attacker was able to change product images, so he added a "Quick Buy" option on to the images which included a BTC address to pay on it. He also removed the shipping options so that it was impossible to place an order. It doesn't look like anybody fell for it & the hack didn't affect most of the product listings, they however do not have backups of the original images so these will have to be reuploaded by the vendors. Does this mean they have/had no backups of the site? If I "very skillfully and cleverly" hack their db and overwrite balances instead of images will they say "also, it is looking like we will most likely lose the defaced balances, so those will need to be re-deposited."? Title: Re: Silk Road compromised? Post by: Blazr on December 19, 2012, 08:34:48 AM Does this mean they have/had no backups of the site? If I "very skillfully and cleverly" hack their db and overwrite balances instead of images will they say "also, it is looking like we will most likely lose the defaced balances, so those will need to be re-deposited."? No, of course they have backups of the site & the DB was never compromised. SR uses a very neat way of displaying the product images on their site, so as to reduce the number of requests the browser has to send over TOR due to the high latency. I'm guessing this is the reason the hacker was able to deface the images & also the reason they didn't have any backups of them. It sounds like the plan now is to crop out the QuickBuy from the images & use them, after they fix the vulnerability obviously. Should be OK for most of the images, seller can always fix it anyways by re-uploading. The whole thing has made users extremely paranoid as also a few SR moderators haven't been heard from in a few weeks now & there is a rumour of a bust happening soon, there are a lot of sellers packing up shop & leaving the site. Title: Re: Silk Road compromised? Post by: Spekulatius on December 19, 2012, 12:36:41 PM I thought they were experiencing down times lately due to more traffic then they can handle (too lazy to fetch announcement right now).
It seems they are prospering nevertheless. Title: Re: Silk Road compromised? Post by: adamstgBit on December 19, 2012, 04:47:41 PM Message from Dread Pirate Roberts (owner): Quote -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey gang, I'm aware of the image hack that has taken place and am working with my team to fix the issue. Whoever was able to pull it off was is very skilled and clever. Hopefully no one has fallen for it and sent money to any of these mystery addresses in the images. So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked. I have switched the default view for all accounts to "incognito" so images won't show up. Also, it is looking like we will most likely lose the defaced images, so those will need to be re-uploaded. I'm terribly sorry for the trouble this is causing, and we will get it cleaned up asap. - -DPR -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJQ0V3+AAoJEAIiQjtnt/ol61wIAJgLMU7G9afQIPcEP11QQUfu nvYAnM+BGsh6U/I65r5p7WzoLlIWTl+1mRIg3YNXMT/6UTphOMFKOv6/XXJig5o/ edja/1+5UJhLeOpXNuDlJDrLJqFGqGKu/swIn0rT2AmmxrgBcXYX+QUnoEZ4lJct qMcKVX/j6PnWoT62RfmS5cirvbR7R6DB/ahzaVlihjx+XYzw5PiSmPthivQlUiLB 9XWibiO73kxq2cw/+hVvnhHFKbME1Ima1Q/JVX0knY+oAXIW0jeTrg7irDlg7ObL Xn/w8WJ4GQ+qUkKn/jaY8Im3sFWLXDzWgC+VAAhmatEn49eSraVFA7kVX91tF6Q= =LZjl -----END PGP SIGNATURE----- It was SQL injection. The attacker was able to change product images, so he added a "Quick Buy" option on to the images which included a BTC address to pay on it. He also removed the shipping options so that it was impossible to place an order. It doesn't look like anybody fell for it & the hack didn't affect most of the product listings, they however do not have backups of the original images so these will have to be reuploaded by the vendors. if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard) but some JS or CSS "injection" could have done the same thing... and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs. Title: Re: Silk Road compromised? Post by: Raoul Duke on December 19, 2012, 05:24:42 PM Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.
Title: Re: Silk Road compromised? Post by: adamstgBit on December 19, 2012, 05:41:59 PM Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all. well they use some tick to have the images not dwl from TOR, no? the hacker took advantage of this system, maybe. Quote So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked. how can they say that if they suspect SQL injection? Title: Re: Silk Road compromised? Post by: Raoul Duke on December 19, 2012, 05:57:09 PM Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all. well they use some tick to have the images not dwl from TOR, no? the hacker took advantage of this system, maybe. No, they do get downloaded, at least their base64 binary data does, but they get the whole page in only 1 request to the DB and it can be sent to the browser in 1 operation, which saves a lot of time. Title: Re: Silk Road compromised? Post by: MPOE-PR on December 19, 2012, 06:30:58 PM Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all. Heh very weird, MPEx graphs are pushed the same way. I guess my original question stands. Title: Re: Silk Road compromised? Post by: DarkHyudrA on December 19, 2012, 07:00:40 PM if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard) but some JS or CSS "injection" could have done the same thing... and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs. Where did you read that a SQL Injection can permit access to the whole DB? Title: Re: Silk Road compromised? Post by: cedivad on December 19, 2012, 10:18:44 PM if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard) but some JS or CSS "injection" could have done the same thing... and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs. Where did you read that a SQL Injection can permit access to the whole DB? (Because innodb has per row access control?) Title: Re: Silk Road compromised? Post by: adamstgBit on December 20, 2012, 01:16:57 AM if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard) but some JS or CSS "injection" could have done the same thing... and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs. Where did you read that a SQL Injection can permit access to the whole DB? Title: Re: Silk Road compromised? Post by: 01BTC10 on December 20, 2012, 01:53:23 AM if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard) but some JS or CSS "injection" could have done the same thing... and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs. Where did you read that a SQL Injection can permit access to the whole DB? http://msdn.microsoft.com/en-us/library/ms189121.aspx Title: Re: Silk Road compromised? Post by: yogi on December 20, 2012, 02:40:57 AM I once thought about changing my middle name to '") DROP TABLE *'.
Title: Re: Silk Road compromised? Post by: MPOE-PR on December 20, 2012, 09:33:17 AM I once thought about changing my middle name to '") DROP TABLE *'. XCKD did it. So is the hacker offering the SilkRoad userdb on SilkRoad? Title: Re: Silk Road compromised? Post by: DarkHyudrA on December 20, 2012, 10:00:45 AM if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard) but some JS or CSS "injection" could have done the same thing... and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs. Where did you read that a SQL Injection can permit access to the whole DB? http://msdn.microsoft.com/en-us/library/ms189121.aspx Exactly, and sometimes an SQL Injection doesn't means the whole database, sometimes it's just a IN instruction that was compromised(to me it's the most common case, even I use it on local softwares). I mean "SELECT * FROM TABLE WHERE HANDLE IN(" + TextCommaSeparated + ");". Title: Re: Silk Road compromised? Post by: Endgame on December 20, 2012, 10:32:40 AM Wonder how much of a chilling effect this will have on silk road use? Even a minor database breach of a site like SR is concerning if you ask me.
Title: Re: Silk Road compromised? Post by: stochastic on December 21, 2012, 08:07:40 PM It is amazing that a discussion about the largest marketplace that only uses bitcoin as a medium of exchange is put in the Off-Topic forum.
Title: Re: Silk Road compromised? Post by: Third Way on December 21, 2012, 08:25:00 PM It is amazing that a discussion about the largest marketplace that only uses bitcoin as a medium of exchange is put in the Off-Topic forum. I think it's about safely keeping distance. So that the whole guilt through association doesn't befall on the entire BTC community. The S.R. is a black market after all. And the Mods/Admins/Owners wouldn't want to be associated to them. |