Vulnerability in Huge Dark Web Marketplace Exposes Private Messages

AlphaBay, possibly the largest dark web marketplace at the moment, is also the most innovative. Last year, its administrators launched a fully automatic credit card shop, and offered contracts for just about anything. More recently, the market has enforced two-factor authentication for all vendors.

But one of AlphaBay's technological developments has backfired.

This week, the market launched an API feature, allowing users to pull certain details from their accounts without logging in for ease of use. But a bug allowed anyone to obtain anyone else's private messages; messages that may contain shipping addresses and other sensitive information, or even communications between market staff members.

"So I enabled the API and turns out when I query my messages I get someone else's in return, mixed with my own messages," Reddit user aboutthednm wrote on Wednesday. The user then published several supposed screenshots of private messages, some of which were between vendors and buyers. Aboutthednm also claimed to have seen physical addresses in some of the communications, because users hadn't encrypted their messages, as is typically recommended when ordering on dark web marketplaces.

He also claimed to have managed to grab the credentials of porn, Netflix, and Paypal accounts, which are commonly sold on marketplaces and then delivered through private messages.

"Only the minority of messages are encrypted with PGP. This is the reason you ALWAYS encrypt all comms with a vendor, because of stuff like this," aboutthednm wrote, adding that he had also seen moderator communications.

Another Reddit user, dnmThief, who also claimed to have exploited the bug, wrote, "you can view messages of any user by just changing the message id." (dnmThief's emphasis.) dnmThief said they had obtained personal details on over 15 users.

AlphaBay's new API feature allows users to read their messages, send new ones, check their balance, withdraw funds, and check their orders and sales. The bug, however, didn't directly allow the theft of bitcoins—withdrawals still required entering a user's six-digit PIN, according to aboutthednm. On Wednesday, AlphaBay had over 91,000 listings for drugs and over 18,000 for fraud related items.

The Reddit account alphabaysupport, which is affiliated with the marketplace, confirmed the bug's existence in a Reddit post, and said in another that aboutthednm would be paid a bounty for uncovering the bug.

"Sorry to break the party, the vulnerability has been patched. Only conversations from 1 to 13,500 (out of 1,067,682) were read, which is around 1.5%, and were all over a year old," the account wrote. "This was indeed a serious problem, but got caught on time." (Some message IDs in the screenshots posted by aboutthednm go far beyond that number, such as 77,232, and the user said that message ID 1,067,440 was the latest that they got to download.)

After contacting the alphabaysupport account, Motherboard spoke to a "manager" of AlphaBay on encrypted chat.

"The server logs show that a single API key was used to scrape the data, indicating that only 1 or 2 people have access to the data," the manager wrote. "The bug was online for 6 hours and got instantly fixed. The person who found the bug has been rewarded a 5-figure reward. The bug will not happen anymore as we instantly patched it when we saw the Reddit post."

The manager reaffirmed that it was only old messages that were accessed, that were, according to them, nearly 14 months old, and that "sale and order data remained private."

Others are concerned that law enforcement may have quickly exploited the vulnerability to access a wealth of messages.

Indeed, law enforcement does monitor Reddit's community of dark web drug dealers, buyers, and staff. In March of last year, an agent with the Department of Homeland Security's (DHS) Immigration and Customs Enforcement in Baltimore sent a subpoena to Reddit, demanding a load of personal data on several users of the Dark Net Markets sub-forum, WIRED reported.

"Fuckin' oath," another Reddit user wrote on Wednesday. "The Baltimore office was scraping that shit hardcore, they'd have amassed a massive dump in that time, no doubt."