A research named Viacheslav Sniezhkov, reported at Hacker One about a vulnerability in the UI of Augur cryptocurrency platform. As per his findings, the bug allowed anyone to put up fake data to the users. This was reported in time, as it could have potentially crippled the betting platform and resulted in significant financial losses.
Augur vulnerability could result in “Framejacking”
According to the report filed by Viacheslav who has a username “droblin” described the vulnerability as “A third-party site can include a hidden iframe which can override “augur-node” configuration variable of a running augur application. This variable is persisted in localStorage. In the case of browser page reload (user action or browser/OS crash), the normal “augur-node” websockets endpoint will be replaced with the provided by the attacker so that all the markets data, addresses, and transactions can be masqueraded.”
Summing this up, the vulnerability could result in ‘framejacking’ – manipulation of HTML code to control how data appears to the users. This is very different from a fake Augur application making the rounds, as that is not the case whatsoever. Instead, the prediction markets’ sourcing of external data can result in fake information being shown. That data does not originate from Augur itself, albeit it would appear otherwise.
The vulnerability can be rather crippling for Augur. Frame-jacking can modify market data, Ethereum addresses, and so forth. It is a very problematic development for a platform which fully relies on accurate up-to-date information. This exploit has been reported to the developers and an updated client has been released. Users are advised to update their application accordingly.
Augur rewards the researcher USD 5000 as part of its bounty program
Sniezhkov allegedly found this bug while participating in Augur’s bug bounty program. Initially, the bug received a ‘low severity’ label, after which, he expressed his concerns about what could have happened if a bad actor found the bug earlier.
After being awarded USD 1000 bounty (for low severity bug)., the researcher commented that it wasn’t a low severity buy as there are all the factors in this report: the vulnerability, the attack vector, the impact.
To quote his post,
“Unfortunately, it’s not related to Smart Contracts, where The Critical Bug is expected to be found. It’s good old frame jacking due to broken navigation and missed X-Frame-Options, leading to critical consequences.”
Post which Augur further rewarded Sniezhkov another USD 1500 following up with a post
“The engineering team has further assessed this report and has concluded to pay out the maximum as a medium severity report (the maximum UI severity assessment). We really appreciate you taking the time to write up this report, include thorough details, and communicate with the team”
This still dint please Sniezhkov and he further explained the vulnerability was more serious one. After which Augur paid another USD 2500 completing the maximum reward under the bounty program.
Augur just got saved from a huge financial loss courtesy the vulnerability being exposed. But the way the research had to force the team for the severity of vulnerability does give the best signs that the security team at Augur understood it. Hope this attempt was just to reduce the payout and not the casual approach Augur has to vulnerabilities.
Will Augur be more careful towards the vulnerabilities reported by the developer community? DO let us know your views on the same.
Nilesh Maurya has been associated for past 8 years as an Investment Banker with Omega Capital, a bespoke Investment Banking outfit having offices in Mumbai, New York, Singapore, and Dubai. He has been a regular contributor to business publications such as Business India and Market Express and has been a mentor to many start-up companies. Nilesh Maurya has been associated for past 8 years as an Investment Banker with Omega Capital, a bespoke Investment Banking outfit having offices in Mumbai, New York, Singapore, and Dubai. He has been a regular contributor to business publications such as Business India and Market Express and has been a mentor to many start-up companies. Follow him on Twitter at @KoinKing1 or connect with me on linkedin.