Private messages accessible by staff on steroid websites – OLM, Steroid.com, ProfessionalMuscle.com, et al.
Jun 16, 2011
For the past few years, through several blogs, and in many different formats, I’ve told my readers that the owners and administrators of online message boards can read private messages. I’ve been saying this since …well, forever. Now, it appears that a group of hactivists within the steroid community have taken it upon themselves to prove this point. The websites where Administrators and owners have the ability to read the members’ private messages are: Steroid.com (*Admin*), ProfessionalMuscle.com, Anasci.com (owned by the same crew as ProfessionalMuscle.com), OutlawMuscle.com, MuscleDiscussion.com, United-Muscle.com, TheSourceCheck.com, and IronLifter.com.
In the past I’ve pointed this issue out as primarily a moral issue; you don’t want your private communications with another member to be accessible to anyone but that member, right? But now I’ve got different concerns, primarily because I’d estimate that a minimum of 1-2 staff members on any given message board are active members of law enforcement – and I’m not talking about cops who hit the juice, I’m talking about federal agents whose sole purpose on these message boards is to identify and arrest online steroid sources.
Apparently the latest version of the Vb hack that allows the staff to read private messages also allows the staff to effectively login as that user, make posts, and use all of the functions that the user would be entitled to. So, what these guys did was to break into a bunch of websites, and alert the members to the security breach while they gathered evidence of the staff’s ability to read messages – here you can see the hackers logged in as homerkahn:
So as you can see, a hack was accomplished, and the hacker logged in as another member (a forum sponsor, in fact). And here’s a screengrab of the AdminCP, which clearly shows the “log in as user” function, followed by the screen that describes the function:
Could these screenshots have been photoshopped? Sure, but I would say that the probability of that is absolutely zero. It’s rare that someone who uses the airbrush function to write “Motherf*cker” on a .JPG in Windows Paint is also a master photoshopper. Besides, I know for a fact that Steroid.com can read private messages, and I know for a fact that the scumbags who run half of these sites aren’t concerned with your safety as much as they’re concerned with their bank accounts.
The issue here isn’t that the staff on these sites are reading private messages, the issue is that they have set the forum up in advance with this capability, even with the security problems that are globally inherent with message boards that discuss anything illegal and furthermore the problems that are specific to the underground steroid community. I’ve been contacted by one of the owners/admins from one of the sites (the one with the screengrabs), and he denies reading any messages. On the other hand, the evidence I’ve been presented seems to point to the fact that mods and admins on all of these message boards are regularly checking out out the not-so-private messages of their membership.
Like I said – the problem isn’t whether or not it’s being done, the problem is that it’s possible, and furthermore, I know for a fact that these sites all have federal agents on them. So this is a huge breach of the community’s trust and in my estimation, warrants an immediate boycott of these sites and blacklisting of their staff members.
Again, the websites where Administrators and owners have the ability to read the members’ private messages are: Steroid.com (*Admin*), ProfessionalMuscle.com, Anasci.com (owned by the same crew as ProfessionalMuscle.com), OutlawMuscle.com, MuscleDiscussion.com, United-Muscle.com, TheSourceCheck.com, Chemicalmass and IronLifter.com.