Framejacking Bug Could Have Replaced Augur With a Doppleganger

augur logo

Until just a few days ago, the interface of the betting market Augur was compromised in a way that could have allowed attackers to replace every bit of information on the platform—and users would not have been able to tell the difference.

Last week, Viacheslav “droblin” Sniezhkov, a security researcher and bug hunter, discovered the problem and reported it on Augur’s HackerOne forum, His report showed that Augur was vulnerable to a type of attack known as framejacking.

Sometimes framejacking is merely annoying and is used to direct users to ads, but in this case, it could have been much more dangerous. Sniezhkov described a possible attack:

“[When the] user visits a link…his Augur application data is replaced by an attacker – market data, Ethereum addresses, everything.”

One aspect of the problem is the fact that the interfaces of Augur and many other web apps are sophisticated web pages—and web content can be loaded within, or ‘framed’, by third-party web pages that manipulate their content. Frames are often disabled by web apps.

“Gmail doesn’t allow this,” Sniezhkov notes.

The possibility of framejacking meant that Augur market data could have been fabricated and injected, and that attackers could have replaced wallet addresses with their own. Augur developers indicated that a tool called Frameguard would be used to fix the framejacking issue, and the bug was quickly fixed.

However, there is a secondary issue that was partially responsible for the bug: locally stored settings. Although Augur has a decentralized back-end, the user interface and settings are stored locally. Attackers could have changed user settings, quietly connecting them to a different server that fed them manipulated data—and framejacking is just one way of doing that.

“If using local storage is inevitable, I would suggest performing additional check and ask[ing]… does the user really [want] to change [the] settings – in case config variables in local storage are going to be overwritten,” says Sniezhkov.

The problem with locally stored settings is described by Augur as a “known issue”. Although Augur has not announced any definite plans to fix the issue, the platform is mitigating the problem by allowing users to clear their configuration settings.

Since Augur is still in its testnet phase, some amount of growing pains is to be expected. The developers are actively seeking bug reports, and the platform’s Bug Bounty program offers rewards. This discovery paid out at least $4000.

Join the NEW Unhashed Telegram or Follow Unhashed on Twitter for the Latest Cryptocurrency News Updates!

More Crypto News

Best Tether Wallets in 2019

January 14, 2019

Tether (USDT), the world’s most popular stablecoin, is designed to give users the stability of…

The 5 Best Stellar Wallets In 2019

January 3, 2019

Stellar and its XLM token were first launched in 2014 by Ripple co-founder Jed McCaleb.…

Best Bitcoin Cash Wallets in 2019: Picking a Bitcoin Cash Wallet for Your Needs

December 6, 2018

Bitcoin Cash (BCH), the controversial project forked from the original Bitcoin client, is now the…

Subscribe for the latest cryptocurrency news

Please enter a valid email address.
Something went wrong. Please check your entries and try again.
Scroll Up