A bored pentester used this one weird old trick to find out Silk Road’s public IP address, which has the potential to compromise the entire operation.
EDIT: Don’t go into freak-out mode here! This is potentially serious, but is fixable and I disclosed to DPR alone about 15 hours ago. He’s good, skilled, and this will be investigated and fixed in no time, I am sure. In the interim, if you need to use Silk Road BE SURE TO USE GPG. The beauty of Bitcoin and Tor is that even if the server were to be seized, if your messages are GPGed, it’s near-impossible to get anything valuable. I just know that not everyone uses GPG.
I am a penetration tester by trade, and while I do not use SR, I do occasionally conduct informal tests of the security of various Tor Hidden Services.
I debated for hours whether to post this, but I need to alert the community in case no actions are taken:
Last night, while SR was down for maintenance, a brief few moments allowed a certain set of circumstances that caused me to be able to view the public IP of the httpd server of Silk Road. This isn’t an obvious flaw, but it is extremely simple if you know where to look – the server basically will publish a page containing all of the configuration data of the httpd server including the public IP address.
For the sake of the site’s security, that’s all the information I’m going to reveal.
I have messaged Dread Pirate Roberts and am currently waiting a response. I do have a SHA512 hash of the public IP which I have retained as evidence if DPR needs proof.
I will keep this updated with any news received.
With such information, authorities may be able to locate and shut down Silk Road and apprehend its operator, or more. What does this mean for Bitcoin? If the Silk Road gets busted, the only thing left to prop up the price of butts is the Magic: the Gathering Online Exchange’s creaky servers and meddling hands.