| Market Name | DHL - Dark Heroes League |
| Date | 3rd August 2017 |
| By | t0mcheck and others |
| URL | http://darkheroesq46awl.onion |
| Access Level | regular buyer account |
| Disclosure | Support doesn't acknowledge bugs - FULL DISCLOSURE |
DHL - Darknet Heroes League is a darknet market. For part 1 see here
On the message reply page there is a hidden field in the form called msg_id which is a unique and sequential message identifier. When replying to a message it will use this message ID to identify which message you are replying to.
If you change it to any other message id, you will be able to reply to that message (another users message) and you will then be given access to that message in your list of messages.
We setup a script to start at the highest message count and then request the last 50 message ID's - we were given access to all 50 message threads in our inbox.
POST /account/message HTTP/1.1
Host: darkheroesq46awl.onion
Content-Length: 102
Content-Type: application/x-www-form-urlencoded
msg_id=244359&recipient=tomcheck&reply=hi+there&disable_encryption=disable_encryption&submit=Add+ReplyYou can then request the page at http://darkheroesq46awl.onion/account/message_view?msg_id=244359 to view the message
You can also overwrite the last message by setting the ID directly to a reply
For an indication of the number of messages that aren't encrypted - note the following message from a vendor:
None of those encypted messages are important besides the very first one, don't waste your time encrypting them.
