JavaScript Exploit Via Agora Market’s Private Message


>> Click here to see the Agora Marketplace guide and Agora URL <<

A number of users of the Agora Market, the online black market, have reported that they have received a message through their Private Messaging system on June 11. They said that the message had a malicious JavaScript exploit and it tried to drain off Bitcoins from their wallets.

According to the users, when they clicked on the link in the message an attempt was made to execute a malicious JavaScript code with the help of CSRF on Agora Market so as to steal users’ fund kept in Agora’s wallet. They also said that it also tried to change the PGP key and reset the PIN code.

The exploit works when a user has opened an active session with Agora Market. In addition, the user must enable JavaScript. Further, the user must be dumb enough to click on an unknown link with the JavaScript enabled. Users, especially vendors, should avoid doing any of these things.

On June 13, the site’s admin issued an update and said that they have received reports from users regarding the private messages they received with a link to an exploit which tried to hack their accounts. The online black market also said that they are in the process of working out a solution. Moreover, Agora Market requested users to turn off JavaScript at the time of accessing their website.

Agora Market came out with yet another update on June 15, saying that it is safer now to keep the JavaScript open on the Tor browser when accessing their website. However, their general recommendation is that users can turn off JavaScript whenever they want to do something sensitive on the Internet. Agora also said that their website does not make use of JavaScript for anything.

Though it is not clear from the latest update provided by Agora Market as to whether the CSRF problem has been completely sorted out, it is better that users disable JavaScript when browsing Agora website or any other site using Tor.

>> Click here to see the Agora Marketplace guide and Agora URL <<