Home Hacking News Augur Cryptocurrency Bug Made The App Vulnerable To Fake Data

Augur Cryptocurrency Bug Made The App Vulnerable To Fake Data

by Abeerah Hashim
Augur cryptocurrency platform

The crypto world is providing us with various innovative apps and platforms, leveraging the increasing attention this industry is gaining. However, we frequently witness various startup or relatively newer platforms tackling different bugs. Many of these flaws even result in crypto hacks and the Augur cryptocurrency platform is no exception to this. Recently, a researcher has discovered a vulnerability that exposed Augur users to fake data. Fortunately, Augur has patched the flaw whilst rewarding the researcher with a bounty.

Augur Cryptocurrency Platform Had A Security Flaw

Recently, a researcher, Viacheslav Sniezhkov, reported at HackerOne about a vulnerability in the UI of Augur cryptocurrency platform. According to his findings, the bug could let any bad actor put up fake data to the users. This includes everything from feeding false data to fake transactions and wallet addresses.

As described in the report,

“A third-party site can include a hidden iframe which can override “augur-node” configuration variable of a running augur application. This variable is persisted in localStorage. In the case of browser page reload (user action or browser/OS crash), the normal “augur-node” websockets endpoint will be replaced with the provided by attacker so that all the markets data, addresses and transactions can be masqueraded.”

Summing this up, the vulnerability could result in ‘framejacking’ – manipulation of HTML code to control how data appears to the users.

Augur Rewarded The Researcher With $5000 Bounty

Viacheslav Sniezhkov allegedly found this bug while participating in Augur’s bug bounty program. Initially, the bug received a ‘low severity’ label, after which, he expressed his concerns about what could have happened if a bad actor found the bug earlier.

“Well, the logical step in the case someone wanted to exploit it would be, for example, sending out phishing links to Augur users … replacing all the Ethereum addresses with his own, [leading to] fund loss.

Someone could find it and just create post a Medium or somewhere else, describing how is it easy to hijack Augur’s UI data.”

After lots of discussions, the report attained a “high” severity level, with a score of 7 – 8.9.

The researcher, after noticing the bug, reported the matter to Augur. Augur, in turn, patched the flaw the same day. Afterwards, the report appeared publicly on August 4, 2018. Augur has rewarded the researcher with a $5000 bounty. Indeed, a higher amount from what is usually paid for finding such bugs.

Since the developers have fixed the bug, all Augur users should update their Augur clients as soon as possible.

Let us know your thoughts in the comments section.

You may also like