Silk Road compromised? | Bitcointalksearch.org

Third Way

full member

Activity: 238

Merit: 100

Quote from: stochastic on December 21, 2012, 03:07:40 PM

It is amazing that a discussion about the largest marketplace that only uses bitcoin as a medium of exchange is put in the Off-Topic forum.

I think it's about safely keeping distance.

So that the whole guilt through association doesn't befall on the entire BTC community.

The S.R. is a black market after all. And the Mods/Admins/Owners wouldn't want to be associated to them.

stochastic

hero member

Activity: 532

Merit: 500

It is amazing that a discussion about the largest marketplace that only uses bitcoin as a medium of exchange is put in the Off-Topic forum.

Endgame

sr. member

Activity: 412

Merit: 250

Wonder how much of a chilling effect this will have on silk road use? Even a minor database breach of a site like SR is concerning if you ask me.

DarkHyudrA

legendary

Activity: 1386

Merit: 1000

English <-> Portuguese translations

Quote from: 01BTC10 on December 19, 2012, 08:53:23 PM

Quote from: adamstgBit on December 19, 2012, 08:16:57 PM

Quote from: DarkHyudrA on December 19, 2012, 02:00:40 PM

Quote from: adamstgBit on December 19, 2012, 11:47:41 AM

if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Where did you read that a SQL Injection can permit access to the whole DB?

as i understand it... if you find some user input that isn't SQL Injection protected, you can preform any SQL query you want.

Not all users should have admin privilege to the database.

http://msdn.microsoft.com/en-us/library/ms189121.aspx

Exactly, and sometimes an SQL Injection doesn't means the whole database, sometimes it's just a IN instruction that was compromised(to me it's the most common case, even I use it on local softwares). I mean "SELECT * FROM TABLE WHERE HANDLE IN(" + TextCommaSeparated + ");".

MPOE-PR

hero member

Activity: 756

Merit: 522

Quote from: yogi on December 19, 2012, 09:40:57 PM

I once thought about changing my middle name to '") DROP TABLE *'.

XCKD did it.

So is the hacker offering the SilkRoad userdb on SilkRoad?

yogi

legendary

Activity: 947

Merit: 1042

Hamster ate my bitcoin

I once thought about changing my middle name to '") DROP TABLE *'.

01BTC10

vip

Activity: 756

Merit: 503

Quote from: adamstgBit on December 19, 2012, 08:16:57 PM

Quote from: DarkHyudrA on December 19, 2012, 02:00:40 PM

Quote from: adamstgBit on December 19, 2012, 11:47:41 AM

if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Where did you read that a SQL Injection can permit access to the whole DB?

as i understand it... if you find some user input that isn't SQL Injection protected, you can preform any SQL query you want.

Not all users should have admin privilege to the database.

http://msdn.microsoft.com/en-us/library/ms189121.aspx

adamstgBit

legendary

Activity: 1904

Merit: 1037

Trusted Bitcoiner

Quote from: DarkHyudrA on December 19, 2012, 02:00:40 PM

Quote from: adamstgBit on December 19, 2012, 11:47:41 AM

if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Where did you read that a SQL Injection can permit access to the whole DB?

as i understand it... if you find some user input that isn't SQL Injection protected, you can preform any SQL query you want.

cedivad

legendary

Activity: 1176

Merit: 1001

Quote from: DarkHyudrA on December 19, 2012, 02:00:40 PM

Quote from: adamstgBit on December 19, 2012, 11:47:41 AM

if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Where did you read that a SQL Injection can permit access to the whole DB?

Why not?
(Because innodb has per row access control?)

DarkHyudrA

legendary

Activity: 1386

Merit: 1000

English <-> Portuguese translations

Quote from: adamstgBit on December 19, 2012, 11:47:41 AM

if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Where did you read that a SQL Injection can permit access to the whole DB?

MPOE-PR

hero member

Activity: 756

Merit: 522

Quote from: Raoul Duke on December 19, 2012, 12:24:42 PM

Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.

Heh very weird, MPEx graphs are pushed the same way. I guess my original question stands.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: adamstgBit on December 19, 2012, 12:41:59 PM

Quote from: Raoul Duke on December 19, 2012, 12:24:42 PM

Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.

well they use some tick to have the images not dwl from TOR, no?
the hacker took advantage of this system, maybe.

No, they do get downloaded, at least their base64 binary data does, but they get the whole page in only 1 request to the DB and it can be sent to the browser in 1 operation, which saves a lot of time.

adamstgBit

legendary

Activity: 1904

Merit: 1037

Trusted Bitcoiner

Quote from: Raoul Duke on December 19, 2012, 12:24:42 PM

Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.

well they use some tick to have the images not dwl from TOR, no?
the hacker took advantage of this system, maybe.

Quote

So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked.

how can they say that if they suspect SQL injection?

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Their "weird" image system is to store images as base64 encoded strings on the database, which isn't weird at all.

adamstgBit

legendary

Activity: 1904

Merit: 1037

Trusted Bitcoiner

Quote from: ?? on ??

Message from Dread Pirate Roberts (owner):

Quote

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey gang,

I'm aware of the image hack that has taken place and am working with my team to fix the issue. Whoever was able to pull it off was is very skilled and clever. Hopefully no one has fallen for it and sent money to any of these mystery addresses in the images. So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked.

I have switched the default view for all accounts to "incognito" so images won't show up. Also, it is looking like we will most likely lose the defaced images, so those will need to be re-uploaded.

I'm terribly sorry for the trouble this is causing, and we will get it cleaned up asap.

- -DPR

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJQ0V3+AAoJEAIiQjtnt/ol61wIAJgLMU7G9afQIPcEP11QQUfu
nvYAnM+BGsh6U/I65r5p7WzoLlIWTl+1mRIg3YNXMT/6UTphOMFKOv6/XXJig5o/
edja/1+5UJhLeOpXNuDlJDrLJqFGqGKu/swIn0rT2AmmxrgBcXYX+QUnoEZ4lJct
qMcKVX/j6PnWoT62RfmS5cirvbR7R6DB/ahzaVlihjx+XYzw5PiSmPthivQlUiLB
9XWibiO73kxq2cw/+hVvnhHFKbME1Ima1Q/JVX0knY+oAXIW0jeTrg7irDlg7ObL
Xn/w8WJ4GQ+qUkKn/jaY8Im3sFWLXDzWgC+VAAhmatEn49eSraVFA7kVX91tF6Q=
=LZjl
-----END PGP SIGNATURE-----

It was SQL injection. The attacker was able to change product images, so he added a "Quick Buy" option on to the images which included a BTC address to pay on it. He also removed the shipping options so that it was impossible to place an order. It doesn't look like anybody fell for it & the hack didn't affect most of the product listings, they however do not have backups of the original images so these will have to be reuploaded by the vendors.

if it was SQL injection, then they should assume the hacker has the hole database, if you can do SQL injection, you have full control over the db... (protecting against SQL injection is not hard)

but some JS or CSS "injection" could have done the same thing...

and SR uses some weird way of displaying imgs so that you don't dwl them through TOR ( would be to slow ), sounds like the hacker found a way to hack that "img system" and change the imgs.

Spekulatius

legendary

Activity: 1022

Merit: 1000

I thought they were experiencing down times lately due to more traffic then they can handle (too lazy to fetch announcement right now).
It seems they are prospering nevertheless.

Blazr

hero member

Activity: 882

Merit: 1006

Quote from: MPOE-PR on December 19, 2012, 03:27:50 AM

Does this mean they have/had no backups of the site? If I "very skillfully and cleverly" hack their db and overwrite balances instead of images will they say "also, it is looking like we will most likely lose the defaced balances, so those will need to be re-deposited."?

No, of course they have backups of the site & the DB was never compromised.

SR uses a very neat way of displaying the product images on their site, so as to reduce the number of requests the browser has to send over TOR due to the high latency. I'm guessing this is the reason the hacker was able to deface the images & also the reason they didn't have any backups of them.

It sounds like the plan now is to crop out the QuickBuy from the images & use them, after they fix the vulnerability obviously. Should be OK for most of the images, seller can always fix it anyways by re-uploading.

The whole thing has made users extremely paranoid as also a few SR moderators haven't been heard from in a few weeks now & there is a rumour of a bust happening soon, there are a lot of sellers packing up shop & leaving the site.

MPOE-PR

hero member

Activity: 756

Merit: 522

Quote from: ?? on ??

Message from Dread Pirate Roberts (owner):

Quote

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey gang,

I'm aware of the image hack that has taken place and am working with my team to fix the issue. Whoever was able to pull it off was is very skilled and clever. Hopefully no one has fallen for it and sent money to any of these mystery addresses in the images. So far as I can tell, the effect of the hack was limited to item images and no sensitive information has been leaked.

I have switched the default view for all accounts to "incognito" so images won't show up. Also, it is looking like we will most likely lose the defaced images, so those will need to be re-uploaded.

I'm terribly sorry for the trouble this is causing, and we will get it cleaned up asap.

- -DPR

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJQ0V3+AAoJEAIiQjtnt/ol61wIAJgLMU7G9afQIPcEP11QQUfu
nvYAnM+BGsh6U/I65r5p7WzoLlIWTl+1mRIg3YNXMT/6UTphOMFKOv6/XXJig5o/
edja/1+5UJhLeOpXNuDlJDrLJqFGqGKu/swIn0rT2AmmxrgBcXYX+QUnoEZ4lJct
qMcKVX/j6PnWoT62RfmS5cirvbR7R6DB/ahzaVlihjx+XYzw5PiSmPthivQlUiLB
9XWibiO73kxq2cw/+hVvnhHFKbME1Ima1Q/JVX0knY+oAXIW0jeTrg7irDlg7ObL
Xn/w8WJ4GQ+qUkKn/jaY8Im3sFWLXDzWgC+VAAhmatEn49eSraVFA7kVX91tF6Q=
=LZjl
-----END PGP SIGNATURE-----

It was SQL injection. The attacker was able to change product images, so he added a "Quick Buy" option on to the images which included a BTC address to pay on it. He also removed the shipping options so that it was impossible to place an order. It doesn't look like anybody fell for it & the hack didn't affect most of the product listings, they however do not have backups of the original images so these will have to be reuploaded by the vendors.

Does this mean they have/had no backups of the site? If I "very skillfully and cleverly" hack their db and overwrite balances instead of images will they say "also, it is looking like we will most likely lose the defaced balances, so those will need to be re-deposited."?

adamstgBit

legendary

Activity: 1904

Merit: 1037

Trusted Bitcoiner

its hard to believe SR did not protected its database from SQL injection...

my guess is some silly JavaScript or CSS trickery.

not a major problem... and not hard to solve.

rat

sr. member

Activity: 253

Merit: 250

the future of silk road

will soon possess

bigger problems than that.

Topic: Silk Road compromised? (Read 3115 times)