Just a short time after Versus Market admin has announced that Versus Market goes into invite only mode, Versus Market has been completely hacked meaning a “Complete takeover. Database, files, cryptocurrency wallets, real IP exposed etc”.
Much like Archetyp Market hack which was done by AlphaBay market admin DeSnake, this hack was brought to the attention of the notorious darknet market admin by a hacker and was quickly verified first by DeSnake and then by other prominent darknet admins such as Paris.
I was contacted around a day ago by the hacker /u/threesixty about the security issues on Versus. As with everything I take it with a cup full of salt before I do my own verification. I took a look at his profile and of course it was a new one which led me even further to believe this to be FUD. He had created a post on Versus subdread /post/e408c16ab482106c4eea/ which got suprisingly little attention for the details that it was outlining and claiming.
I decided to ask him for further details and in an encrypted PGP message he provided an interesting amount of information. Now anyone could have created that information so the only way to verify it was to test myself. I was almost certain it had been patched by Versus... but even after the post threesixty had done the vulnerability was still sitting there plain as day allowing anyone to browse through the system and potentially escalate to full control over the server.
Together with the good-willed hacker 360, we were able to get even more proof on top what he had recovered initially that indeed it is the real server of Versus. All proof was provided to Paris right before putting this post up.
The Vulnerability
Testing the vulnerability was straightforward and as threesixty said a textbook one. There was no complexity in it or discovering it. How no one has reported it or fixed in 3 years I or him do not understand. Complete props go to him for finding it.
The Impact
Complete takeover. Database, files, cryptocurrency wallets (of course those that have used multisig are okay either way), real IP exposed etc. Complete pwn.
From threesixties (and mine) side nothing has been taken or modified in any shape or form. Only information was downloaded such as databases and files (including system ones to prove the existence) which would allow us to prove the vulnerability exists to other high ranking people like /u/Paris . Cryptocurrency wallets were never touched.
Given the issues with security that are now happening for the 3rd time in the markets history, Staff problems also affect Versus. I have no doubt that affects the security and maintenance of the marketplace. Staff are a core part of the marketplace without Staff administrators are nothing and vice versa. So for all of you marketplace admins make sure your Staff are well, financially and in other ways. When you are an employer it is your duty to ensure you create a good environment for individual employees to thrive and grow both professionally and personally.
DeSnake goes on and says that the hack is so complete that there is no chance of the admin of Versus to fix the issue, and hints that Versus Market can go offline due to an exit scam at any moment.
The hack was confirmed by Dread admin Paris who says the hack is indeed real and that this exploit was on the Versus server for almost 3 years, meaning there is almost no chance that it was not used by LE (Law Enforcement) and that the market should not be used from this time.
/u/DeSnake has provided me the exploit and rational. I have personally verified it.
IT IS REAL.
The exploit is extremely simple but compromising. It allows for full access to the underlining file system on the server. This include information within the /etc/ directory as well as wallet directories. It is a full information compromise of the system. Everything to the server's IP address, to the backup of the database in the admin home folder, to the wallet files themselves. I am able to traverse nearly the entire file system with web server level access. There is no jail, WAF, and minimal care to limit the information disclosure in the event of a web server compromise. I am able to view the history of IP addresses which have previously accessed the server.
This is a major compromise and it is very easy to find and pull off. Even a simple scriptkitty that is running a web server tester will find this exploit. /u/WilliamGibson I will be passing this information over to you. This shouldn't be a problem with even the most basic jailing practices on the web server layer.
Until such time as this is fixed nobody should use Versus. I can't say that enough. This entire server is probably compromised already by law enforcement and being monitored. It is a total compromise and is without a doubt one of the worse outcomes to a simple security exploit I have seen in a very long time. With Versus Market having the most extreme security exploit in the last few years, it is strongly advised to stop using Versus Market and go on to use other top darknet markets who did not have that kind of security exploit such as AlphaBay, ASAP, Abacus and more darknet market that you can find on our top darknet markets list.