Darkweb marketplace, Versus Market some days back announced that they had had their IP address leaked due to some technical mishaps and called for a maintenance session during which period the market was down to check for any additional exploits and beef up security.
In a statement shared by staff member u/WilliamGibson on Dread on 23rd March,
We received reports of a potential IP leak from one of our middleware server and decided to shut down the market down temporarily to investigate the issue before any damage is done.
The affected server has been added during the ddos and is not a backend server. It has been wiped and abandoned for security reasons. I don’t want to cause any panic and can assure that I only post this for transparency.
He assured customers that the service will be back up and running soon, saying,
The market will be running as usual after we made sure there are no other leaks in max 12 hours until 11:00 UTC. Please excuse the inconvenience caused and rest assured no userdata or any critical information in general has been leaked.
In the days following this announcement, he came back to share the details of what truly transpired during the downtime.
He said this was due to a DDOS attack which targeted an application layer vulnerability and shared more technical details, saying,
The attacker found an application layer vulnerability by requesting non-existing captcha images. This lead to a lot of useless file IO and exhausted the main server resources
Trying to counter this attack on hours of work and sleep deprivation led to a mistake which exposed their IP address.
In response to this, he shares that his team used a custom middle-ware on the tor fronted servers to filter bad traffic and deliver the captchas. This resulted in a 14-hour downtime on the site in their bid to move their infrastructure to another host following the IP leak.
He also said that following this, the team has made changes to ensure that their vulnerabilities are not exploited in such a manner anymore, and in his statement wrote,
What we did to avoid such stupid mistakes in the future.
The middle-ware was fixed to extract to correct onion under any circumstances. The display of the hostname gets validated via regex. There is no more routing via IP. The middle-ware will run on every single tor instance. The routing to the back-end server is also over Tor.
Additionally we checked the source to look for any other instance where the hostname/custom header might show up. Nothing was found. This multiple layers of security will make sure, that even a bad decision under sleep deprivation will not lead to such an event again.
It goes without saying that the site is currently up and running and users and vendors can carry on with their daily trading activities. Versus has reiterated that this leak did not affect user data in any way.