Recently, AlphaBay launched a new API feature allowing subscribers to retrieve certain information from their accounts without having to login. However, a bug was also released at about the same time giving random users the ability to obtain other people’s private messages. Some containing sensitive details like shipping address, and even internal communications between AlphaBay staff.
A Reddit user, aboutthednm, first raised the issue on Wednesday 27th Aprilafter he noticed peculiar happenings on his AlphaBay account. After activating the API program, he queried his own messages only to get texts from someone else instead. He then published several alleged screenshots of the private chats, some involving conversations between dealers and buyers. Aboutthednm also said he saw physical addresses in a few of the communications, since users hadn’t properly encrypted their online messages, as is highly advisable when ordering items on darkweb sites like AlphaBay. He also accessed confidential details of Netflix, PayPal and adult site accounts, which are usually sold on dark web sites and then delivered via private messages.
Another Reddit user by the name of dnmThief also claimed he had actively exploited the bug, he wrote that it’s easy to view messages of unsuspecting AlphaBay users by simply changing their message id. dnmThief claimed to have obtained personal details belonging to more than 15 different users.
Nevertheless, it’s still possible to safeguard your AlphaBay account by installing PGP encryption system. It makes use of special keys to lock and encode data so that only the owner has authorization. These codes are unique and it allows owners to operate only specific locks.
The PGP system is based on a public-key cryptography sequence where each AlphaBay account holder has a private key. Specific key names indicate their main purpose. While public keys can easily be shared with others, private ones must be kept secret for confidentiality purposes. In terms of functionality, a public key is designed to encrypt data (locking) while private keys decrypt them (unlocking).
AB’s new API function allows people to perform various tasks such as reading messages, sending new ones, withdrawal of funds, checking balance as well as status of their orders/sales. While the bug can be used to steal chat information, it still doesn’t allow for direct theft of bitcoins since withdrawals require a 6-digit PIN password. Currently, AlphaBay has more than 91,000 drug listings and 18,000 others for fraud related products.
The marketplace’s affiliated Reddit account, alphabaysupport, confirmed this malware’s existence in a post,but also said that they were willing to pay user “aboutthednm” a bounty for discovering the phishing bug. AlphaBay apologized for the security breach and reminded users that only 1.5% of the total messages had been affected, which translates to about 13,500. However, message screenshots sent by aboutthednm show that the number is much higher at 77,232.
AlphaBay server logs indicate that just a single API key was employed to steal the data; also, only 1or 2 people had direct access to the information. This bug was online for approximately 6hrs. but got fixed instantly upon its unmasking. Management confirmed that aboutthednm was awarded a 5-figure sum for discovering the malware; they also promised AlphaBay users such a thing will never happen again in the future as they have now tightened their security. Furthermore, admin said it was only old messages which had been affected and people need not to panic. Sale and item order details still remained private as far as they are concerned. Despite these explanations, some AlphaBay users are still skeptical, raising concerns that law enforcement agencies might have exploited this vulnerability to access several messages.