Someone has exploited a vulnerability to view 218,000 private unencrypted messages exchanged by users of the AlphaBay dark web marketplace.
On 22 January, a hacker who goes by the name “Cipher0007” reposted on Reddit a bulletin published by one of AlphaBay’s moderators.
In the bulletin, the admin reveals that the attacker found a way to view users’ private unencrypted messages:
“hello community. the user /u/Cipher0007 contacted us mods though the mod mail and delivered proof that he is able to read private alphabay messages. I have verified it by creating two new accounts, sending a message between them, providing the user the message ID and he showed me the content of it. [sic]”
A statement published by AlphaBay on Pastebin clarifies that the hacker found and exploited two vulnerabilities. The first flaw gave them access to 218,000 private messages that were less than 30 days old, and that involved most members up to ID 2609452. The second bug gave the attacker access to user IDs and usernames.
The dark web forum’s admins say they have contacted everyone affected by this breach. In the meantime, the attacker has been paid for their findings, the loophole has been closed, and it has been determined that compromised users’ older messages and Bitcoin addresses are safe.
AlphaBay also made a point of reminding users to create a PGP key and encrypt their sensitive communications.
Cipher0007 agrees with that assessment and thinks it’s good for AlphaBay’s users to protect themselves against incidents like this.
Even so, the hacker doesn’t feel the marketplace comes out of this with its reputation undamaged. As he explains in his Reddit post:
“Users are partially responsible responsible by not encrypting sensitive messages. however it is [in my opinion] even more embarrassing for alphabay since they have shown again that they are clearly unable to run a market securely and protect their users. nobody should use insecure services or software because another layer of security protects them. if they f**ked up so many times before, it is not unlikely that there will be a bug with their financial system too [e.g. someone steals all your money]. [censorship added]”
Many commenters point out that some attackers aren’t as gracious as Cipher0007. Some could have already sold the vulnerabilities to law enforcement personnel, who might be in the process of investigating the affected users. That could mean fines and/or prison time could await those members, especially if they trafficked in malware, drugs, or illegal weapons.
The dark web is at the same time similar to and different from our world.
On the one hand, people buy and sell goods and services that we never see on the surface web indexed by Google and others.
On the other hand, people manage the dark web, which means they are human. Sometimes they don’t implement software updates and make other mistakes. Let’s hope they continue to slip up so that law enforcement can help bring these all these individuals to justice.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.