A great vulnerability was discovered in the Augur decentralized betting platform. The hackers were able to provide users with incorrect data and play the system .
Everything that was shown by the app was likely to falsify, from transactions to portfolio addresses – even the markets could have been fake.
Augur is a wonderful place where you can place network orders for high profile figures such as US President Donald Trump and Amazon boss Jeff Bezos. It's a new generation betting platform that lets you bet on just about anything.
This type of attack is called frame-jacking, which exploits and manipulates the HTML code that controls the way in which data is displayed when it is syndicated from external sources. A frame-jacked user will display the "correct" domain, but the data shown will be incorrect and misleading, channeled from a different location, not directly from Augur.
"The user visits a link from the Internet, his data on the Augur application are replaced by an attacker, then market data, Ethereum addresses, everything. "
A Ugur's native cryptocurrency, REP, is even distributed to settle outstanding bets confirming their result. Actually, from top to bottom, the entire platform is based on accurate and up-to-date information, users must be able to trust the data that is being fed.
The decentralized design of its back-end is supposed to maintain trust. In this case, however, users were disappointed by its dependence on centralized user interfaces (UI).
In particular, this highlights how these design choices generate single points of error. Hackers were able to access the sensitive code while it was stored locally, a design choice usually avoided for security reasons.
The researcher also explored the possible consequences of these bugs, after discussing with the mid-level classification of severity from the Augur team.
In case it is discovered by someone who does not participate in the bounty bugs program. What would you do? Well, the logical step in case someone wants to exploit it would, for example, send phishing links to Augur users … replacing all Ethereum addresses with their loss of funds [leading to].
Someone could find it and simply create a medium or elsewhere, describing how simple it is to hijack Augur's user interface data.
[…] This stupid, simple, small and critical bug was found in Augur's bounty bug program, the one with very high bonuses for critical bugs and very low expectations of being actually found.
In the end, however, developers have invariably maintained their position, mainly due to an error in the user interface, not the underlying platform. As such, the security researcher received $ 1,500 for his discovery.
Since then the vulnerability has been corrected, so users are advised to update their Augur client.
In reality, this is just a further proof of the fact that the HackerOne ecosystem has become quite profitable. Bug payments are paid almost every day – we recently reported a set of bounties distributed to those who found nodes in the anonymous cryptocurrency code Monero.
Published 7 August 2018 at 16:09 UTC