BTC: $3,497.42 -2.24%
XRP: $0.30822 -0.44%
ETH: $92.25 -1.00%
MARKETCAP: $111,099,331,514
24H VOL: $13,222,986,071
BTC: 55%

Framejacking Bug Could Have Replaced Augur With a Doppleganger

augur logo

Until just a few days ago, the interface of the betting market Augur was compromised in a way that could have allowed attackers to replace every bit of information on the platform—and users would not have been able to tell the difference.

Last week, Viacheslav “droblin” Sniezhkov, a security researcher and bug hunter, discovered the problem and reported it on Augur’s HackerOne forum, His report showed that Augur was vulnerable to a type of attack known as framejacking.

Sometimes framejacking is merely annoying and is used to direct users to ads, but in this case, it could have been much more dangerous. Sniezhkov described a possible attack:

“[When the] user visits a link…his Augur application data is replaced by an attacker – market data, Ethereum addresses, everything.”

One aspect of the problem is the fact that the interfaces of Augur and many other web apps are sophisticated web pages—and web content can be loaded within, or ‘framed’, by third-party web pages that manipulate their content. Frames are often disabled by web apps.

“Gmail doesn’t allow this,” Sniezhkov notes.

The possibility of framejacking meant that Augur market data could have been fabricated and injected, and that attackers could have replaced wallet addresses with their own. Augur developers indicated that a tool called Frameguard would be used to fix the framejacking issue, and the bug was quickly fixed.

However, there is a secondary issue that was partially responsible for the bug: locally stored settings. Although Augur has a decentralized back-end, the user interface and settings are stored locally. Attackers could have changed user settings, quietly connecting them to a different server that fed them manipulated data—and framejacking is just one way of doing that.

“If using local storage is inevitable, I would suggest performing additional check and ask[ing]… does the user really [want] to change [the] settings – in case config variables in local storage are going to be overwritten,” says Sniezhkov.

The problem with locally stored settings is described by Augur as a “known issue”. Although Augur has not announced any definite plans to fix the issue, the platform is mitigating the problem by allowing users to clear their configuration settings.

Since Augur is still in its testnet phase, some amount of growing pains is to be expected. The developers are actively seeking bug reports, and the platform’s Bug Bounty program offers rewards. This discovery paid out at least $4000.

Join the NEW Unhashed Telegram or Follow Unhashed on Twitter for the Latest Cryptocurrency News Updates!

Bitcoin Bitcoin $3,497.42 -2.24%
XRP XRP $0.31 -0.44%
Ethereum Ethereum $92.25 -1.00%
Stellar Stellar $0.12 -1.35%
Tether Tether $1.02 -0.20%

Subscribe for the latest cryptocurrency news

Please enter a valid email address.
Something went wrong. Please check your entries and try again.

More Crypto News

Best Bitcoin Cash Wallets in 2019: Picking a Bitcoin Cash Wallet for Your Needs

December 6, 2018

Bitcoin Cash (BCH), the controversial project forked from the original Bitcoin client, is now the…

How Long Does it Take to Mine 1 Bitcoin?

November 6, 2018

As you probably know, the Bitcoin network is maintained by a decentralized web of Bitcoin…

Why is Bitcoin Valuable?

November 2, 2018

Although Bitcoin has been around since 2009, it wasn’t until the events of late 2017…

Subscribe for the latest cryptocurrency news

Please enter a valid email address.
Something went wrong. Please check your entries and try again.
Scroll Up