Augur users just averted a significant loss of their funds and the loss of the company’s reputation, as security researcher, Viacheslav Sniezhkov from HackerOne revealed a major bug. If the bug would have persisted, a cyber-attacker could have breached the user interface of Augur and planted fraudulent data that would have adversely affected the users.
The major security risk Ethereum DApp Augur faced
Augur is a decentralized oracle (dApp) and prediction market platform that runs on the Ethereum blockchain. Augur stores its UI configuration files locally on a user’s computer. As a result, the black hat hackers could deploy malicious websites that serve hidden iframes. They could even alter the configuration settings that are stored in those local, and the users would not have even known about any of this.
As reported by CCN, Sniezhkov, the white hacker, said: “A third party site can include a hidden iframe which can override ‘augur-node’ configuration variable of a running augur application. This variable is persisted in local Storage. In the case of browser page reload (user action or browser/OS crash), the normal ‘augur-node’ web sockets endpoint will be replaced with the provided by attacker so that all the markets data, addresses and transactions can be masqueraded.”
All’s well that ends well!
The flaw has been patched already. And, the white hacker has received a bounty of $5,000 for pointing out the bug by the Forecast Foundation that administers the development of the Augur protocol. The Forecast Foundation has recommended the Augur users to update to the latest version of the software client to ward off any possible threats.
Image via Shutterstock
Join our Telegram group