|
|
|
rat
|
 |
December 19, 2012, 05:10:40 AM |
|
the future of silk road
will soon possess
bigger problems than that.
|
|
|
|
|
adamstgBit
Legendary
 Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
December 19, 2012, 05:14:48 AM |
|
its hard to believe SR did not protected its database from SQL injection...
my guess is some silly JavaScript or CSS trickery.
not a major problem... and not hard to solve.
|
|
|
|
|
MPOE-PR
|
|
December 19, 2012, 08:27:50 AM |
|
Message from Dread Pirate Roberts (owner): -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey gang,
I'm aware of the image hack that has taken place and am working with my team to fix the issue. Whoever was able to pull it off was is very skilled and clever. Hopefully no one has fallen for it and sent money to any of these mystery addresses in the images. So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked.
I have switched the default view for all accounts to "incognito" so images won't show up. Also, it is looking like we will most likely lose the defaced images, so those will need to be re-uploaded.
I'm terribly sorry for the trouble this is causing, and we will get it cleaned up asap.
- -DPR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJQ0V3+AAoJEAIiQjtnt/ol61wIAJgLMU7G9afQIPcEP11QQUfu
nvYAnM+BGsh6U/I65r5p7WzoLlIWTl+1mRIg3YNXMT/6UTphOMFKOv6/XXJig5o/
edja/1+5UJhLeOpXNuDlJDrLJqFGqGKu/swIn0rT2AmmxrgBcXYX+QUnoEZ4lJct
qMcKVX/j6PnWoT62RfmS5cirvbR7R6DB/ahzaVlihjx+XYzw5PiSmPthivQlUiLB
9XWibiO73kxq2cw/+hVvnhHFKbME1Ima1Q/JVX0knY+oAXIW0jeTrg7irDlg7ObL
Xn/w8WJ4GQ+qUkKn/jaY8Im3sFWLXDzWgC+VAAhmatEn49eSraVFA7kVX91tF6Q=
=LZjl
-----END PGP SIGNATURE-----
It was SQL injection. The attacker was able to change product images, so he added a "Quick Buy" option on to the images which included a BTC address to pay on it. He also removed the shipping options so that it was impossible to place an order. It doesn't look like anybody fell for it & the hack didn't affect most of the product listings, they however do not have backups of the original images so these will have to be reuploaded by the vendors. Does this mean they have/had no backups of the site? If I "very skillfully and cleverly" hack their db and overwrite balances instead of images will they say "also, it is looking like we will most likely lose the defaced balances, so those will need to be re-deposited."? |
|
|
|
|
Blazr
|
|
December 19, 2012, 08:34:48 AM
Last edit: December 19, 2012, 08:45:59 AM by Blazr |
|
Does this mean they have/had no backups of the site? If I "very skillfully and cleverly" hack their db and overwrite balances instead of images will they say "also, it is looking like we will most likely lose the defaced balances, so those will need to be re-deposited."?
No, of course they have backups of the site & the DB was never compromised. SR uses a very neat way of displaying the product images on their site, so as to reduce the number of requests the browser has to send over TOR due to the high latency. I'm guessing this is the reason the hacker was able to deface the images & also the reason they didn't have any backups of them. It sounds like the plan now is to crop out the QuickBuy from the images & use them, after they fix the vulnerability obviously. Should be OK for most of the images, seller can always fix it anyways by re-uploading. The whole thing has made users extremely paranoid as also a few SR moderators haven't been heard from in a few weeks now & there is a rumour of a bust happening soon, there are a lot of sellers packing up shop & leaving the site. |
|
|
|
Spekulatius (OP)
Legendary
Offline
Activity: 1022
Merit: 1000
|
|
December 19, 2012, 12:36:41 PM |
|
I thought they were experiencing down times lately due to more traffic then they can handle (too lazy to fetch announcement right now).
It seems they are prospering nevertheless.
|
|
|
|
|
adamstgBit
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
December 19, 2012, 04:47:41 PM
Last edit: December 19, 2012, 05:08:32 PM by adamstgBit |
|
Message from Dread Pirate Roberts (owner): -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey gang,
I'm aware of the image hack that has taken place and am working with my team to fix the issue. Whoever was able to pull it off was is very skilled and clever. Hopefully no one has fallen for it and sent money to any of these mystery addresses in the images. So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked.
I have switched the default view for all accounts to "incognito" so images won't show up. Also, it is looking like we will most likely lose the defaced images, so those will need to be re-uploaded.
I'm terribly sorry for the trouble this is causing, and we will get it cleaned up asap.
- -DPR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJQ0V3+AAoJEAIiQjtnt/ol61wIAJgLMU7G9afQIPcEP11QQUfu
nvYAnM+BGsh6U/I65r5p7WzoLlIWTl+1mRIg3YNXMT/6UTphOMFKOv6/XXJig5o/
edja/1+5UJhLeOpXNuDlJDrLJqFGqGKu/swIn0rT2AmmxrgBcXYX+QUnoEZ4lJct
qMcKVX/j6PnWoT62RfmS5cirvbR7R6DB/ahzaVlihjx+XYzw5PiSmPthivQlUiLB
9XWibiO73kxq2cw/+hVvnhHFKbME1Ima1Q/JVX0knY+oAXIW0jeTrg7irDlg7ObL
Xn/w8WJ4GQ+qUkKn/jaY8Im3sFWLXDzWgC+VAAhmatEn49eSraVFA7kVX91tF6Q=
=LZjl
-----END PGP SIGNATURE-----
It was SQL injection. The attacker was able to change product images, so he added a "Quick Buy" option on to the images which included a BTC address to pay on it. He also removed the shipping options so that it was impossible to place an order. It doesn't look like anybody fell for it & the hack didn't affect most of the product listings, they however do not have backups of the original images so these will have to be reuploaded by the vendors. if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard) but some JS or CSS "injection" could have done the same thing... and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs. |
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
December 19, 2012, 05:24:42 PM |
|
Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.
|
|
|
|
|
adamstgBit
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
December 19, 2012, 05:41:59 PM
Last edit: December 19, 2012, 05:53:13 PM by adamstgBit |
|
Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.
well they use some tick to have the images not dwl from TOR, no? the hacker took advantage of this system, maybe. So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked. how can they say that if they suspect SQL injection? |
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
December 19, 2012, 05:57:09 PM |
|
Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.
well they use some tick to have the images not dwl from TOR, no? the hacker took advantage of this system, maybe. No, they do get downloaded, at least their base64 binary data does, but they get the whole page in only 1 request to the DB and it can be sent to the browser in 1 operation, which saves a lot of time. |
|
|
|
|
|
MPOE-PR
|
|
December 19, 2012, 06:30:58 PM |
|
Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.
Heh very weird, MPEx graphs are pushed the same way. I guess my original question stands. |
|
|
|
DarkHyudrA
Legendary
Offline
Activity: 1386
Merit: 1000
English <-> Portuguese translations
|
|
December 19, 2012, 07:00:40 PM |
|
if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)
but some JS or CSS "injection" could have done the same thing...
and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.
Where did you read that a SQL Injection can permit access to the whole DB? |
English <-> Brazilian Portuguese translations
|
|
|
cedivad
Legendary
Offline
Activity: 1176
Merit: 1001
|
|
December 19, 2012, 10:18:44 PM |
|
if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)
but some JS or CSS "injection" could have done the same thing...
and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.
Where did you read that a SQL Injection can permit access to the whole DB? Why not? (Because innodb has per row access control?) |
My anger against what is wrong in the Bitcoin community is productive: Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)Hashfast.org - Wiki for screwed customers |
|
|
adamstgBit
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
December 20, 2012, 01:16:57 AM |
|
if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)
but some JS or CSS "injection" could have done the same thing...
and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.
Where did you read that a SQL Injection can permit access to the whole DB? as i understand it... if you find some user input that isn't SQL Injection protected, you can preform any SQL query you want. |
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
December 20, 2012, 01:53:23 AM |
|
if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)
but some JS or CSS "injection" could have done the same thing...
and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.
Where did you read that a SQL Injection can permit access to the whole DB? as i understand it... if you find some user input that isn't SQL Injection protected, you can preform any SQL query you want. Not all users should have admin privilege to the database. http://msdn.microsoft.com/en-us/library/ms189121.aspx |
|
|
|
|
yogi
Legendary
Offline
Activity: 947
Merit: 1042
Hamster ate my bitcoin
|
|
December 20, 2012, 02:40:57 AM |
|
I once thought about changing my middle name to '") DROP TABLE *'.
|
|
|
|
|
MPOE-PR
|
|
December 20, 2012, 09:33:17 AM |
|
I once thought about changing my middle name to '") DROP TABLE *'.
XCKD did it. So is the hacker offering the SilkRoad userdb on SilkRoad? |
|
|
|
DarkHyudrA
Legendary
Offline
Activity: 1386
Merit: 1000
English <-> Portuguese translations
|
|
December 20, 2012, 10:00:45 AM |
|
if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)
but some JS or CSS "injection" could have done the same thing...
and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.
Where did you read that a SQL Injection can permit access to the whole DB? as i understand it... if you find some user input that isn't SQL Injection protected, you can preform any SQL query you want. Not all users should have admin privilege to the database. http://msdn.microsoft.com/en-us/library/ms189121.aspxExactly, and sometimes an SQL Injection doesn't means the whole database, sometimes it's just a IN instruction that was compromised(to me it's the most common case, even I use it on local softwares). I mean "SELECT * FROM TABLE WHERE HANDLE IN(" + TextCommaSeparated + ");". |
English <-> Brazilian Portuguese translations
|
|
|
|
Endgame
|
|
December 20, 2012, 10:32:40 AM |
|
Wonder how much of a chilling effect this will have on silk road use? Even a minor database breach of a site like SR is concerning if you ask me.
|
|
|
|
|
|
stochastic
|
|
December 21, 2012, 08:07:40 PM |
|
It is amazing that a discussion about the largest marketplace that only uses bitcoin as a medium of exchange is put in the Off-Topic forum.
|
Introducing constraints to the economy only serves to limit what can be economical.
|
|
|
|
