/d/WhiteHouseMarket

N/A subscribers

N/A


Concerns about the manager API

by /u/WhmManagerApiQ · 0 votes · 13th January, 2021 15:06

I am a vendor and using the site with the amount of orders I have is getting unmanageable.

I have a fair amount of concern with the Manager API. I use Qubes + Whonix so I'm not sure how bad it can affect me, but there would be absolutely no chance I would use the API if I used anything else.

Can Mr White or someone explain how the source code is vetted by another, or is in no way a vector for an attack should WHM get seized?


1. Can the Manager API reveal true IP, or use some sort of exploit RETROACTIVELY - for example if the version of that API is vetted by someone respected, if LE were to take over could they then inject malicious code to the Manager API, despite the program/script itself being OK?

2. Would /u/hugbunt3r or /u/paris or some other security guy vet this API for peace of mind of vendors? I guess WHM could pay for this service.

3. What other concerns should I have regarding the API?


I would really like to use the API. But I don't trust having executables on my machine from a market. Look at Hansa market takeover for example.


Thanks

Comments (3)
/u/WhmManagerApiQ · N/A votes · 13th January, 2021 - 15:06 · Link

/u/hugbunt3r /u/paris /u/mr_white

/u/trumpsta420 · N/A votes · 13th January, 2021 - 15:08 · Link

/u/HugBunter is the correct account, not /u/HugBunt3r

/u/[deleted] · N/A votes · 13th January, 2021 - 15:25 · Link

Most of it is already explain on the API page. Given the open nature of the script vendors can and should verify everything themselves or pay a trusted 3rd party to do it for them. If you run it in qubes/whonix not even a compromised version can leak your IP. 1 - You can't "inject code" in the app but you can be tricked into running a compromised one which brings us back to verification. 2 - No idea, you would have to ask them. Clownsec team reviewed and even rewritten lots of it. 3 - We rarely update it and when we do vendors must also verify the updated version. Technically it's not an executable but interpreted code.

/u/WhmManagerApiQ · N/A votes · 13th January, 2021 - 16:47 · Link

Thanks for your reply. Could you link to the clownsec review?

/u/[deleted] · N/A votes · 13th January, 2021 - 17:19 · Link

There was a post when they also pen tested the market but I can't seem to find it right now. Clownsec left Dread a while ago and deleted their accounts.

/u/Paris · N/A votes · 13th January, 2021 - 15:28 · Link

I did see the early and later stages source of it. It's all open written in python. It's basically a GUI wrapper for an API. Nothing too crazy, still cool though. When I looked at it (note this was months ago) I didn't see anything which would bring me concern. In my view, if you are a vendor, it would save tons of time decrypting messages while keeping hold of all your privacy and security.

/u/WhmManagerApiQ · N/A votes · 13th January, 2021 - 16:48 · Link

Would you be interested in a review of it for payment? I think the latest release was in December or so.