A bug on AlphaBay, the largest active dark web marketplace, allowed outsiders to read 30 days worth of private messages on the site. A total of 218,000 messages were obtained, according to the market’s administrators, giving an attacker the ability to view messages between vendors and buyers selling everything from illicit drugs to stolen digital data.
The bug was made public on Saturday with a post to reddit. The technical specifics of this latest bug were not revealed.
The user posted five screenshots of private messages for proof, showing where AlphaBay users openly exchanged names, addresses and tracking numbers without encryption.
The reddit user said that AlphaBay administrators initially ignored three tickets reporting the critical bug.
AlphaBay administrators paid a hacker for finding the bug, a reward reminiscent of bug bounty programs above-the-board technology organizations are employing with increasing frequency. AlphaBay administrators did not respond to a request for comment asking how much they paid out for the bug bounty
Four hours after the reddit user went public, AlphaBay administrators confirmed the problem and said it had been fixed.
“The attacker was paid for his findings, and agreed to tell us the methods used to extract such information,” the user alphabaysupport wrote on reddit. “Our developers immediately closed the loophole in order to protect the security of our users.”.
The market’s owners also issued advice to their users, saying “no action is required” but “we remind everyone to ALWAYS ENCRYPT SENSITIVE INFORMATION such as addresses, BTC addresses, tracking numbers, etc.”
AlphaBay was officially launched in December 2014 in the wake of two major Silk Road FBI busts. It became the most popular market on the dark web in 2015.
This is the second time within a year that a bug exposed private messages on the market.
Private messages are often used to communicate extremely sensitive data like addresses, postal tracking numbers and real names where illicit products have to be delivered. If law enforcement or other criminals came into possession of these messages, it could pose a grave risk to AlphaBay’s massive customer base.
Like every dark web market, AlphaBay’s documentation advises users to always encrypt sensitive data so that even if messages are intercepted, they cannot be read. Previous studies on Silk Road, the first widely popular dark web market, showed that most users rarely encrypted sensitive data.
The idea that law enforcement or other criminals may find this sensitive information is not hypothetical. Wired reported in 2015 how the Department of Homeland Security delivered a subpoena to Reddit demanding a load of personal data on users of the dark net markets forum. On the other hand, dark web denizens hack one another as well, probing for weaknesses and advantages in a highly competitive environment.