Static CSRF Tokens, Dark Marketplace Forums and Salt

September 5, 2017

I was unsure whether to publish this, I’m no fan of marketplaces on anonymous networks like TOR, especially ones which decide to sell weapons that could harm someone. While this vulnerability is interesting, I don’t think theres any real value to it to which it’s worthy keeping it secret. I have already informed the developer of the forum software but it seems very inactive, the last update was last year and the forum is very quiet. Many forums on the internet must use this particular software that is vulnerable but I came across it through using an anonymous network, TOR. ‘Dream Marketplace’ and ‘Traderoute’ both use this forum software, there are many little parts that I’ve found that are fairly uninteresting but allow you to understand more about the marketplaces (Confirmed environment like version etc.). For now I want to discuss the problems that face accounts using this software. Some notes before I get on with the technical discussion.

read more …