Pages:
Author

Topic: Silk Road compromised? (Read 3110 times)

full member
Activity: 238
Merit: 100
December 21, 2012, 03:25:00 PM
#21
It is amazing that a discussion about the largest marketplace that only uses bitcoin as a medium of exchange is put in the Off-Topic forum.

I think it's about safely keeping distance.

So that the whole guilt through association doesn't befall on the entire BTC community.

The S.R. is a black market after all. And the Mods/Admins/Owners wouldn't want to be associated to them.
hero member
Activity: 532
Merit: 500
December 21, 2012, 03:07:40 PM
#20
It is amazing that a discussion about the largest marketplace that only uses bitcoin as a medium of exchange is put in the Off-Topic forum.
sr. member
Activity: 412
Merit: 250
December 20, 2012, 05:32:40 AM
#19
Wonder how much of a chilling effect this will have on silk road use? Even a minor database breach of a site like SR is concerning if you ask me.
legendary
Activity: 1386
Merit: 1000
English <-> Portuguese translations
December 20, 2012, 05:00:45 AM
#18
if it was SQL injection, then they should assume  the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Where did you read that a SQL Injection can permit access to the whole DB?
as i understand it... if you find some user input that isn't  SQL Injection protected, you can preform any SQL query you want.
Not all users should have admin privilege to the database.

http://msdn.microsoft.com/en-us/library/ms189121.aspx

Exactly, and sometimes an SQL Injection doesn't means the whole database, sometimes it's just a IN instruction that was compromised(to me it's the most common case, even I use it on local softwares). I mean "SELECT * FROM TABLE WHERE HANDLE IN(" + TextCommaSeparated + ");".
hero member
Activity: 756
Merit: 522
December 20, 2012, 04:33:17 AM
#17
I once thought about changing my middle name to '") DROP TABLE *'.

XCKD did it.

So is the hacker offering the SilkRoad userdb on SilkRoad?
legendary
Activity: 947
Merit: 1042
Hamster ate my bitcoin
December 19, 2012, 09:40:57 PM
#16
I once thought about changing my middle name to '") DROP TABLE *'.
vip
Activity: 756
Merit: 503
December 19, 2012, 08:53:23 PM
#15
if it was SQL injection, then they should assume  the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Where did you read that a SQL Injection can permit access to the whole DB?
as i understand it... if you find some user input that isn't  SQL Injection protected, you can preform any SQL query you want.
Not all users should have admin privilege to the database.

http://msdn.microsoft.com/en-us/library/ms189121.aspx
legendary
Activity: 1904
Merit: 1037
Trusted Bitcoiner
December 19, 2012, 08:16:57 PM
#14
if it was SQL injection, then they should assume  the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Where did you read that a SQL Injection can permit access to the whole DB?
as i understand it... if you find some user input that isn't  SQL Injection protected, you can preform any SQL query you want.
legendary
Activity: 1176
Merit: 1001
December 19, 2012, 05:18:44 PM
#13
if it was SQL injection, then they should assume  the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Where did you read that a SQL Injection can permit access to the whole DB?
Why not?
(Because innodb has per row access control?)
legendary
Activity: 1386
Merit: 1000
English <-> Portuguese translations
December 19, 2012, 02:00:40 PM
#12
if it was SQL injection, then they should assume  the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Where did you read that a SQL Injection can permit access to the whole DB?
hero member
Activity: 756
Merit: 522
December 19, 2012, 01:30:58 PM
#11
Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.

Heh very weird, MPEx graphs are pushed the same way. I guess my original question stands.
legendary
Activity: 1358
Merit: 1002
December 19, 2012, 12:57:09 PM
#10
Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.

well they use some tick to have the images not dwl from TOR, no?
the hacker took advantage of this system, maybe.

No, they do get downloaded, at least their base64 binary data does, but they get the whole page in only 1 request to the DB and it can be sent to the browser in 1 operation, which saves a lot of time.
legendary
Activity: 1904
Merit: 1037
Trusted Bitcoiner
December 19, 2012, 12:41:59 PM
#9
Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.

well they use some tick to have the images not dwl from TOR, no?
the hacker took advantage of this system, maybe.

Quote
So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked.

how can they say that if they suspect SQL injection?
legendary
Activity: 1358
Merit: 1002
December 19, 2012, 12:24:42 PM
#8
Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.
legendary
Activity: 1904
Merit: 1037
Trusted Bitcoiner
December 19, 2012, 11:47:41 AM
#7
Message from Dread Pirate Roberts (owner):

Quote
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey gang,

I'm aware of the image hack that has taken place and am working with my team to fix the issue.  Whoever was able to pull it off was is very skilled and clever.  Hopefully no one has fallen for it and sent money to any of these mystery addresses in the images.  So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked.

I have switched the default view for all accounts to "incognito" so images won't show up.  Also, it is looking like we will most likely lose the defaced images, so those will need to be re-uploaded.

I'm terribly sorry for the trouble this is causing, and we will get it cleaned up asap.

- -DPR

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJQ0V3+AAoJEAIiQjtnt/ol61wIAJgLMU7G9afQIPcEP11QQUfu
nvYAnM+BGsh6U/I65r5p7WzoLlIWTl+1mRIg3YNXMT/6UTphOMFKOv6/XXJig5o/
edja/1+5UJhLeOpXNuDlJDrLJqFGqGKu/swIn0rT2AmmxrgBcXYX+QUnoEZ4lJct
qMcKVX/j6PnWoT62RfmS5cirvbR7R6DB/ahzaVlihjx+XYzw5PiSmPthivQlUiLB
9XWibiO73kxq2cw/+hVvnhHFKbME1Ima1Q/JVX0knY+oAXIW0jeTrg7irDlg7ObL
Xn/w8WJ4GQ+qUkKn/jaY8Im3sFWLXDzWgC+VAAhmatEn49eSraVFA7kVX91tF6Q=
=LZjl
-----END PGP SIGNATURE-----

It was SQL injection. The attacker was able to change product images, so he added a "Quick Buy" option on to the images which included a BTC address to pay on it. He  also removed the shipping options so that it was impossible to place an order. It doesn't look like anybody fell for it & the hack didn't affect most of the product listings, they however do not have backups of the original images so these will have to be reuploaded by the vendors.

if it was SQL injection, then they should assume  the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.
legendary
Activity: 1022
Merit: 1000
December 19, 2012, 07:36:41 AM
#6
I thought they were experiencing down times lately due to more traffic then they can handle (too lazy to fetch announcement right now).
It seems they are prospering nevertheless.
hero member
Activity: 882
Merit: 1006
December 19, 2012, 03:34:48 AM
#5
Does this mean they have/had no backups of the site? If I "very skillfully and cleverly" hack their db and overwrite balances instead of images will they say "also, it is looking like we will most likely lose the defaced balances, so those will need to be re-deposited."?

No, of course they have backups of the site & the DB was never compromised.

SR uses a very neat way of displaying the product images on their site, so as to reduce the number of requests the browser has to send over TOR due to the high latency. I'm guessing this is the reason the hacker was able to deface the images & also the reason they didn't have any backups of them.

It sounds like the plan now is to crop out the QuickBuy from the images & use them, after they fix the vulnerability obviously. Should be OK for most of the images, seller can always fix it anyways by re-uploading.

The whole thing has made users extremely paranoid as also a few SR moderators haven't been heard from in a few weeks now & there is a rumour of a bust happening soon, there are a lot of sellers packing up shop & leaving the site.
hero member
Activity: 756
Merit: 522
December 19, 2012, 03:27:50 AM
#4
Message from Dread Pirate Roberts (owner):

Quote
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey gang,

I'm aware of the image hack that has taken place and am working with my team to fix the issue.  Whoever was able to pull it off was is very skilled and clever.  Hopefully no one has fallen for it and sent money to any of these mystery addresses in the images.  So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked.

I have switched the default view for all accounts to "incognito" so images won't show up.  Also, it is looking like we will most likely lose the defaced images, so those will need to be re-uploaded.

I'm terribly sorry for the trouble this is causing, and we will get it cleaned up asap.

- -DPR

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJQ0V3+AAoJEAIiQjtnt/ol61wIAJgLMU7G9afQIPcEP11QQUfu
nvYAnM+BGsh6U/I65r5p7WzoLlIWTl+1mRIg3YNXMT/6UTphOMFKOv6/XXJig5o/
edja/1+5UJhLeOpXNuDlJDrLJqFGqGKu/swIn0rT2AmmxrgBcXYX+QUnoEZ4lJct
qMcKVX/j6PnWoT62RfmS5cirvbR7R6DB/ahzaVlihjx+XYzw5PiSmPthivQlUiLB
9XWibiO73kxq2cw/+hVvnhHFKbME1Ima1Q/JVX0knY+oAXIW0jeTrg7irDlg7ObL
Xn/w8WJ4GQ+qUkKn/jaY8Im3sFWLXDzWgC+VAAhmatEn49eSraVFA7kVX91tF6Q=
=LZjl
-----END PGP SIGNATURE-----

It was SQL injection. The attacker was able to change product images, so he added a "Quick Buy" option on to the images which included a BTC address to pay on it. He  also removed the shipping options so that it was impossible to place an order. It doesn't look like anybody fell for it & the hack didn't affect most of the product listings, they however do not have backups of the original images so these will have to be reuploaded by the vendors.

Does this mean they have/had no backups of the site? If I "very skillfully and cleverly" hack their db and overwrite balances instead of images will they say "also, it is looking like we will most likely lose the defaced balances, so those will need to be re-deposited."?
legendary
Activity: 1904
Merit: 1037
Trusted Bitcoiner
December 19, 2012, 12:14:48 AM
#3
its hard to believe SR did not protected its database from SQL injection...

my guess is some silly JavaScript or CSS trickery.

not a major problem... and not hard to solve.
rat
sr. member
Activity: 253
Merit: 250
December 19, 2012, 12:10:40 AM
#2


the future of silk road

will soon possess

bigger problems than that.
Pages:
Jump to: