Framejacking Bug Could Have Replaced Augur With a Doppleganger

augur logo

Until just a few days ago, the interface of the betting market Augur was compromised in a way that could have allowed attackers to replace every bit of information on the platform—and users would not have been able to tell the difference.

Last week, Viacheslav “droblin” Sniezhkov, a security researcher and bug hunter, discovered the problem and reported it on Augur’s HackerOne forum, His report showed that Augur was vulnerable to a type of attack known as framejacking.

Sometimes framejacking is merely annoying and is used to direct users to ads, but in this case, it could have been much more dangerous. Sniezhkov described a possible attack:

“[When the] user visits a link…his Augur application data is replaced by an attacker – market data, Ethereum addresses, everything.”

One aspect of the problem is the fact that the interfaces of Augur and many other web apps are sophisticated web pages—and web content can be loaded within, or ‘framed’, by third-party web pages that manipulate their content. Frames are often disabled by web apps.

“Gmail doesn’t allow this,” Sniezhkov notes.

The possibility of framejacking meant that Augur market data could have been fabricated and injected, and that attackers could have replaced wallet addresses with their own. Augur developers indicated that a tool called Frameguard would be used to fix the framejacking issue, and the bug was quickly fixed.

However, there is a secondary issue that was partially responsible for the bug: locally stored settings. Although Augur has a decentralized back-end, the user interface and settings are stored locally. Attackers could have changed user settings, quietly connecting them to a different server that fed them manipulated data—and framejacking is just one way of doing that.

“If using local storage is inevitable, I would suggest performing additional check and ask[ing]… does the user really [want] to change [the] settings – in case config variables in local storage are going to be overwritten,” says Sniezhkov.

The problem with locally stored settings is described by Augur as a “known issue”. Although Augur has not announced any definite plans to fix the issue, the platform is mitigating the problem by allowing users to clear their configuration settings.

Since Augur is still in its testnet phase, some amount of growing pains is to be expected. The developers are actively seeking bug reports, and the platform’s Bug Bounty program offers rewards. This discovery paid out at least $4000.

Join the NEW Unhashed Telegram or Follow Unhashed on Twitter for the Latest Cryptocurrency News Updates!

Bitcoin Bitcoin $6,528.39 +1.4%
Ethereum Ethereum $310.598 +4.18%
XRP XRP $0.346185 +15.89%
Bitcoin Cash Bitcoin Cash $588.404 +10.34%
EOS EOS $5.38578 +13.53%

Subscribe for the latest cryptocurrency news

Please enter a valid email address.
Something went wrong. Please check your entries and try again.

More Crypto News

Kin Cryptocurrency to Distribute $3 Million Across 40 Blockchain Projects

August 15, 2018

Kin, the new cryptocurrency backed by the social media app, Kik, announced $3 million in…

The Crown League is Establishing a Blockchain Based Fantasy Football Platform

August 14, 2018

Next year will see the launch of the Crown League, a professional fantasy football league…

Square Cash App Extends Bitcoin Trading to Every US State

August 14, 2018

Jack Dorsey’s Square Cash App continues to expand. After revealing massive growth earlier this year,…

Subscribe for the latest cryptocurrency news

Please enter a valid email address.
Something went wrong. Please check your entries and try again.
Scroll Up