Kingdom Market, a new marketplace with very few users, provided the community with a perfect example of a dangerously misconfigured onion service as well as yet another reason to be skeptical about new markets. Short story: their IP leaked. Dread users noticed.
The market is insignificant as far as markets go. Very few people knew about it unil now. Those who knew about the market before this incident likely watched the market’s spectacularly bad announcement unfold on Dread. Markets like Kingdom Market come and go constantly and nobody really cares. One of the differences in this case is the way the market permanently marred its reputation.
“It’s my opinion all publicity is good publicity, however Shodan is not what I had in mind.” - /u/mr_white
Yesterday, /u/bugkiller posted a thread titled “Kingdom Market IP.” After verifying that the IP address in the post actually belonged to Kingdom Market, HugBunter posted a warning about the market.
Found by /u/bugkiller via Shodan.
IP is accessible over clearnet and I’ve verified as much as possible to rule out it being a phishing proxy.
Get your coin out now if you, for some strange reason shopped/vended there.
Edit: It is now leaking tonnes due to coinmarketcap seemingly blocking their crypto rate requests, they have errors enabled, oh lord!
file_get_contents(https://api.coinmarketcap.com/v1/ticker/bitcoin/): failed to open stream: HTTP request failed! HTTP/1.1 429 Too Many Requests (View: /var/www/html/resources/views/master/navbar.blade.php) (View: /var/www/html/resources/views/master/navbar.blade.php) (View: /var/www/html/resources/views/master/navbar.blade.php)
Also, this explains why it was so slow to load each page, he’s running rate update via file_get_contents on every page load.
It is incredibly likely that the Kingdom Market administrators followed a basic “how to” guide when configuring their marketplace. One of the guides provided by Eckmar directs users to use a default nginx configuration.
From one of the pages in the installation guide:
listen 80 default_server;
listen [::]:80 default_server;
Server_name IP OR DOMAIN HERE;
index index.php index.html index.htm;
A configuration such as the one above results in the market’s current scenario. If a server is accessible from the clearnet, someone will eventually find the server’s IP address. Services like Shodan simplify the task significantly. At a minimum, nginx’s listen directive should be configured to listen to localhost or a unix socket. The “IP OR DOMAIN HERE” line reads like a joke. Securing a marketplace is a complex task that is far outside of the scope of this post. But in short, this should never have happened.
And, as HugBunter pointed out, the market is running file_get_contents on every page load to get current Bitcoin rates. It appears as if Kingdom Market was fetching updates prices from the server hosting the marketplace and not doing so via tor; the number of users loading pages exceeded coinmarketcap’s rate limit. As a result coinmarketcap blocked requests from Kingdom Market.
Also, Kingdom Market seemingly ignores EXIF data in pictures uploaded by vendors. The existence of identifying EXIF data in vendor’s pictures is not the market’s fault; vendors are responsible for removing their own EXIF data. But modern markets are expected to sanitize pictures and other content uploaded by users. EXIF data removal is an absolute requirement for any marketplace. I downloaded as many listing pictures as possible to examine before Kingdom Market dropped offline. The amount of data is concerning.
According to the EXIF data, this vendor took pictures of their products with a Samsung Note 8:
And this vendor used a Samsung Galaxy S10:
Ugu, the creator of Kilos, warned about the market two weeks ago:
The admins of Kingdom Market emailed me about getting added to Kilos and the email came from an @gmail.com address. In the quoted text from our responses back and forth, it became clear that their computer was set up in French. These two points of information leakage are significant and became obvious within minutes of talking to them. I wish the staff at Kingdom Market the best of luck, and I do not want to damage their business, but I feel obligated to warn people about these safety concerns I have. Personally, I would stay away.
I can confirm their use of a GMail address as they used one in an email to Darknetlive as well.
Oh, Kingdom Market did respond to the post about the IP address leak.
I am here, I left with no money yet in escrow I have more than 28,000 dollars my users are safe,
bug …… and a liar he says take my database except that it is not possible he speaks to noob, certainly I screw up in the configuration of my DNS but it is under repair no user and no seller has his security of compromise.
after with your forum “Kilos” frankly it and more crappy than crappy ^^
why don’t you make a market you talk a lot, people like you are brainless disabled
A noob lol
know one thing we will never pay we and not it is bitch who pays us we pay nothing on the contrary we are paid but good little spotty long hide the back hide are hiding lol