Framejacking Bug Could Have Replaced Augur With a Doppleganger
Until just a few days ago, the interface of the betting market Augur was compromised in a way that could have allowed attackers to replace every bit of information on the platform—and users would not have been able to tell the difference.
Last week, Viacheslav “droblin” Sniezhkov, a security researcher and bug hunter, discovered the problem and reported it on Augur’s HackerOne forum, His report showed that Augur was vulnerable to a type of attack known as framejacking.
Sometimes framejacking is merely annoying and is used to direct users to ads, but in this case, it could have been much more dangerous. Sniezhkov described a possible attack:
“[When the] user visits a link…his Augur application data is replaced by an attacker – market data, Ethereum addresses, everything.”
One aspect of the problem is the fact that the interfaces of Augur and many other web apps are sophisticated web pages—and web content can be loaded within, or ‘framed’, by third-party web pages that manipulate their content. Frames are often disabled by web apps.
“Gmail doesn’t allow this,” Sniezhkov notes.
The possibility of framejacking meant that Augur market data could have been fabricated and injected, and that attackers could have replaced wallet addresses with their own. Augur developers indicated that a tool called Frameguard would be used to fix the framejacking issue, and the bug was quickly fixed.
However, there is a secondary issue that was partially responsible for the bug: locally stored settings. Although Augur has a decentralized back-end, the user interface and settings are stored locally. Attackers could have changed user settings, quietly connecting them to a different server that fed them manipulated data—and framejacking is just one way of doing that.
“If using local storage is inevitable, I would suggest performing additional check and ask[ing]… does the user really [want] to change [the] settings – in case config variables in local storage are going to be overwritten,” says Sniezhkov.
The problem with locally stored settings is described by Augur as a “known issue”. Although Augur has not announced any definite plans to fix the issue, the platform is mitigating the problem by allowing users to clear their configuration settings.
Since Augur is still in its testnet phase, some amount of growing pains is to be expected. The developers are actively seeking bug reports, and the platform’s Bug Bounty program offers rewards. This discovery paid out at least $4000.
More Crypto News
Tether (USDT), the world’s most popular stablecoin, is designed to give users the stability of…
Stellar and its XLM token were first launched in 2014 by Ripple co-founder Jed McCaleb.…
Bitcoin Cash (BCH), the controversial project forked from the original Bitcoin client, is now the…