You are here: Home | Forum | Leaky captcha deanonymised Silk Road
You are currently viewing our boards as a guest which gives you limited access to view most of the discussions, articles and other free features. By joining our Virgin Media community you will have full access to all discussions, be able to view and post threads, communicate privately with other members (PM), respond to polls, upload your own images/photos, and access many other special features. Registration is fast, simple and absolutely free so please join our community today.
Real IP of the server was leaked/transmitted in the http headers returned to a user when an incorrect captcha was entered on the login page.
Quote:
Ever since October 2013, when the FBI took down the online black market and drug bazaar known as the Silk Road, privacy activists and security experts have traded conspiracy theories about how the U.S. government managed to discover the geographic location of the Silk Road Web servers. Those systems were supposed to be obscured behind the anonymity service Tor, but as court documents released Friday explain, that wasn’t entirely true: Turns out, the login page for the Silk Road employed an anti-abuse CAPTCHA service that pulled content from the open Internet, thus leaking the site’s true location.
There are a few who were doing a lot of penetration testing of Silk Road who reckon it wasn't leaking ip's in headers like the FBI are saying. While http headers as well as the data in http replies in various configurations can leak that kind of data, there is enough reputable peeps saying it wasn't the case here.
Be it a 0-day exploit or info gained from other security researchers, it's looking like the FBI's explanation as to how they found Silk road is a bit fishy.
Join CF
You are here: 
