Silk Road fumbles and reveals its IP address
A bored pentester used this one weird old trick to find out Silk Road’s public IP address, which has the potential to compromise the entire operation.
EDIT: Don’t go into freak-out mode here! This is potentially serious, but is fixable and I disclosed to DPR alone about 15 hours ago. He’s good, skilled, and this will be investigated and fixed in no time, I am sure. In the interim, if you need to use Silk Road BE SURE TO USE GPG. The beauty of Bitcoin and Tor is that even if the server were to be seized, if your messages are GPGed, it’s near-impossible to get anything valuable. I just know that not everyone uses GPG.
I am a penetration tester by trade, and while I do not use SR, I do occasionally conduct informal tests of the security of various Tor Hidden Services.
I debated for hours whether to post this, but I need to alert the community in case no actions are taken:
Last night, while SR was down for maintenance, a brief few moments allowed a certain set of circumstances that caused me to be able to view the public IP of the httpd server of Silk Road. This isn’t an obvious flaw, but it is extremely simple if you know where to look – the server basically will publish a page containing all of the configuration data of the httpd server including the public IP address.
For the sake of the site’s security, that’s all the information I’m going to reveal.
I have messaged Dread Pirate Roberts and am currently waiting a response. I do have a SHA512 hash of the public IP which I have retained as evidence if DPR needs proof.
I will keep this updated with any news received.
With such information, authorities may be able to locate and shut down Silk Road and apprehend its operator, or more. What does this mean for Bitcoin? If the Silk Road gets busted, the only thing left to prop up the price of butts is the Magic: the Gathering Online Exchange’s creaky servers and meddling hands.
March 26, 2013 @ 8:35 pm
A SHA512 hash of an IP address? Sure is a competent pen tester and not a cargo cult skiddie at all.
March 27, 2013 @ 12:18 pm
No he held a hash of the ip address and throw the ip away. So if he get visit, he can say it is not here. Like I am sorry, I one way compressed it. No officer I not two way compressed it. Sorry didn’t think about it, but here it is.
You can use a hash to verify the ip address. Like a hash function generates a practically unique integer for, like, whatever you throw in it. It’s like mathematics, you know.
On the other hand if the asshole didn’t use a salt, it is much more easier to find the ip address. That would be somewhat worrisome. If he did, it doesn’t complicate the comparison to much.
To check he only need to send the salt to the compromised party and promise that he destroys the hash after verification. Then the compromise party hash the ip address with the salt. And then they hash both hashes on both sides and compare them. That is kinda safe.
March 27, 2013 @ 10:18 am
> the price of butts
I’d make a comment about what Bruce
Wagner is likely to spend his internet monopoly money on, but honestly
there’s just too many possibilities.
April 1, 2013 @ 12:37 pm
Unless this was an IPv6 address, anyone can calculate the IP from the SHA hash in a matter of seconds. So, this was really stupid and unnecessary step, SHA hash and IP address are in this case equivalent.
July 10, 2013 @ 4:01 am
It’s the government mannnnnnn