One of the largest Dark Web markets, AlphaBay, has been outlined with a huge security problem which allows hackers to access private messages. The issue is due to a vulnerability disclosed by Reddit user Cipher0007 who is most likely a security researcher.
He tested out the flaw and found out that he could easily harvest more than 200,000 private messages. The messages are private conversations held between users and sellers. Fortunately, AlphaBay responded on time and patched the vulnerability. The researcher was also rewarded.
Interestingly, when Ciper00007 first contacted AlphaBay to let them know about his findings, they ignored him. That is why he went on to demonstrate what he knew to DarkNetMarkets mods on Reddit. He claimed that he had created a bot to automate the collection of messages.
AlphaBay later explained that the messages were not older than 30 days. Messages older than 30 days are automatically deleted. They also confirmed that the researcher was able to obtain a list of user IDs and usernames. No passwords or Bitcoin addresses were compromised.
Cipher0007 however posted screenshots that expose private messages containing lots of sensitive user details, like:
- First and last names;
- Package tracking numbers, etc.
All that information wasn’t protected by PGP keys, as explained by Softpedia. AlphaBay reminds users that it’s very important to encrypt their sensitive details. They also claim they have done everything possible to improve the website. Nonetheless, considering the character of market place, it’s very likely hackers will continue to target it. Next time it may not be a researcher or a morally sound person but a black hat hacker.