A massive vulnerability has been discovered in the decentralized betting platform Augur. Hackers have been able to feed users incorrect data and game the system.
Everything shown by the app was susceptible to faking, from transactions to wallet addresses – even the markets could have been forgeries.
Augur is a wonderful place where you can place wetwork orders for high-profile figures like US President Donald Trump and Amazon boss Jeff Bezos. It’s a next-generation betting platform that allows wagers on pretty much anything.
Users buy shares in the outcome of a specific event, like a sports match or political election. Buy shares in the right outcome and you win, with prizes being paid in Ethereum.
This brand of attack is called frame-jacking, which exploits and manipulates HTML code that controls how data is displayed when it is syndicated from external sources. A user being frame-jacked will be viewing the ‘correct’ domain, but the data shown will be incorrect and misleading, funnelled in from a different location – not directly from Augur.
The security researcher who submitted the vulnerability report to HackerOne described its effects quite simply:
“User visits a link from internet, his Augur application data is replaced by an attacker then – market data, Ethereum addresses, everything.”
Augur’s native cryptocurrency, REP, is even distributed for settling outstanding bets by confirming their outcome. Truly, from top to bottom, the entire platform relies on having accurate, up-to-date information, users need to be able to trust the data they’re being fed.
The decentralized design of its back-end is supposed to maintain trust. In this case, though, users have been let down by the developers choice to store certain files related to its UI locally, leading to their exposure.
Such design choices often breed single points of failure. Hackers were able to access sensitive code as it was stored locally, something usually avoided for the security concerns it raises.
The researcher also explored possible consequences of such bugs, after disagreeing with its medium-grade severity classification by the Augur team.
In the case it is discovered by someone not participating in bug bounty program. What would he do? Well, the logical step in the case someone wanted to exploit it would be, for example, sending out phishing links to Augur users … replacing all the Ethereum addresses with his own, [leading to] fund loss.
Someone could find it and just create post a Medium or somewhere else, describing how is it easy to hijack Augur’s UI data.
[…] This stupid, simple, small, and critical bug was found in Augur’s bug bounty program, the one with very high bonuses for critical bugs and very low expectations of such bugs being actually found.
In the end, though, the developers invariably maintained their position, primarily due to it being an error in the UI, not the underlying platform. Usually, these types of bugs are worth around $1,500 – but a spokesperson later clarified the researcher received $5,000.
The vulnerability has since been patched, so users are urged to update their Augur client.
Really, though, this is just more proof that HackerOne’s white-hat ecosystem has become quite lucrative. Bug bounties are being paid out almost every day – we recently reported on one set of bounties distributed to those finding kinks in the code of anonymous cryptocurrency Monero.
Update 19:09 UTC, August 7: A spokesperson from Forecast Foundation, which built and maintains Augur, has since reached out. They clarified that, in the end, the security researcher was paid $5,000, diverting from the prices set by its bug bounty program.
“This is done on a discretionary basis, and this payout was double the bug bounty program’s max payout for UI issues of $2,500.”
Published August 7, 2018 — 16:09 UTC