A formal announcement was posted on the hub forum by Onionshop admins – A services that offered vendors a simple way of running their own anonymous Bitcoin Webshop in the Tor Network, explaining that the site was taken down due to a recent hack resulted in a loss of around $700 in BTC:
Fellow Onionshop Community,
About 2 days ago we suffered a hack of our database. The hacker replaced addresses in our BTC-Pool and managed to snatch payments for 3 orders with a total of 700$. Fortunately we had some extra security mechanisms in place that were able to prevent further damages and left most orders unaffected.
After noticing that our system has been compromised, we instantly moved to a new server and changed up everything security related. We also changed our sourcecode to assign BTCs to orders directly from electrum MPKs, without storing them in a pool before. Additionally we introduced a different server where customers can doublecheck if their assigned BTC address is legit.
At first, we suspected a vulnerability in our image upload script. The script checks various characteristics of files that are being uploaded and is supposed to allow only real JPG files. We noticed that somebody has managed to upload a file with a different extension shortly before the hack, so we assumed to have found the problem. The upload script was removed on the new server and planned to be replaced.
Today the hacker has contacted us, stating that he still has access to our db and that the vulnerability he was exploiting is still in place. We hoped it is a weak attempt to get more BTC after losing access to our db – but he could prove us wrong and indeed, still had access. He tried to blackmail us paying 15 BTC to get info on the vulnerability. We dont see this as an option for many reasons.
So here we are, searching for a needle in a 30k lines of code-haystack. Even though the hacker will have a hard time stealing any more coins with the latest changes to our BTC handling (probably the reason he offered to sell us info on the bug in the first place), he still has access to our db. and there still is a vulnerability that can enable others to get there too. The safety of our vendors, customers, and ourselves of course has always been top priority for us. Thus the only acceptable consequence for us is to take the whole site offline for an unknown amount of time. Fixing and improving various parts of the code and relaunching in a few days would work, but doesnt meet the high demands we have towards our OPSEC. In order to reopen, we have to inspect our whole code, rewrite fundamental parts of it and do a lot of security and penetration testing.
As of today, we are not sure yet on which path we will take from here exactly. We will need some time evaluating everything before we can announce a plan on how we move forward. Most likely we will develop a new version of Onionshop, preferably OpenBazaar-based, if this should become an option soon. We will keep running this domain and keep you updated here.
Every order that has been placed will be shipped regularly. We leave the vendors area accessible so that any unfinished business can be taken care of: onionshopkue7sxr.onion.market/vendorlogin
If you are a customer, please contact your vendor through another market, the Hub, or any other form of communication they provide. Below this text we provide a link to a list of our vendors and where to contact them. If you need something from your User-area which cannot be provided by the vendor, please contact us directly on the Hub (thehub7dnl5nmcz5.onion.market, username Onionshop) and we will look into it for you.
Unlike 6 months ago when we launched Onionshop, there is a wide range of good and promising marketplaces nowadays where you can go to alternatively. Check out the marketlist of Deepdotweb.com for example. From our own experience, we recommend using Evolution (http://k5zq47j6wd3wdvjq.onion.market) or Cloud9 (http://bviaqyj6obc54vhn.onion.market). We are not related to them, nor do we vouch for them, just a good feeling there. Be careful if you use traditional escrow, only deposit funds you need for a purchase. Vendors should withdraw everything immediately after having orders finalized.
We are sorry to put everybody through this hassle, but we hope the majority will agree with us, that in consideration of the situation, this is the only way to go. We thank all our loyal vendors and customers for putting trust in us and choosing Onionshop to roll with.
Special shout-out goes to the people we have been working with, especially our 2 developers and our graphic designer. Please contact us through the hub!
Rest assured, we will not disappear, nor do we break any agreement we have made. We stay right where we are and will do anything possible to support our userbase through these tumultuous times. There wont be another sheep on our watch,
This announcement was later followed by a post made by the hacker himself on Reddit (seems to be confirmed as the hacker):
Onionshop Hacked, all Bitcoins stolen (And I’m still in the db… )
I used a simple MySQL injection on the image upload page and gained access to his entire database. From there, it was a simple replace of all his Bitcoin addresses with my own ones. It took this idiot all of 4 days to realize what has happened, but STILL he hasn’t fixed the vulnerability. I’m in the database as we speak, this is a shear level of incompetence I cannot even comprehend. He’s now put all his original addresses back on the list, but I’m replacing them again since he hasn’t locked me out. Holy fucking shit.
He can see me changing shit in the database but his excuse of why he hasn’t fixed this yet is “there is 30k lines of code and it is like trying to find a needle in a haystack.” Jesus fucking christ, I even messaged him telling him how I gained access. He has now sent me a begging PM asking me not to expose his incompetence and to “kindly sent the funds back to me and I will remember your good deed, I know you are a good person deep down please do the right thing and give back what you took”
Sorry. But this a seriously, seriously incompetent admin and I hope anyone reading this will stay clear of any future revisions of Onionshop unless you want to get royally sodomized courtesy of this fool. If I took your money and you can prove it’s yours by sending me your ID for the order, and your address, I will refund you. I ask that you take your refund and use it anywhere else but NOT Onionshop. I am extremely surprised that no one exploited this vulnerability before me, it took all of 30 minutes to construct the tables, display and then update the rows from a completely unsanitized input.
I have the database and can dump tables to prove my claims, (unless it’s against /r/DNM policy). Passwords are all md5 so something was done right at least.
DON’T USE ONIONSHOP. IF YOU DO, GOD HELP YOU.
UPDATE: http://s2.postimg.org/7kskh5v1l/oss2.png.My work here is done. Take this as a wake up call, Onionshop…
Seems that Onionshop admins did the right thing taking the site offline until this have been investigated and the exploit fixed. Luckily In this case the financial lost was not much.