Author

Topic: [2016-06-03] OpenBazaar Developers Fix Man-in-the-middle Attack Vector (Read 235 times)

copper member
Activity: 1218
Merit: 1007
Post your ann & bounty just contact me
OpenBazaar Man-in-the-middle Attack

To put this into perspective, a malicious JSON update reply could trick OpenBazaar users into downloading a fake payload. If the platform conducting the update does not enforce code signing, a hacker would theoretically be able to execute remote code. If that were to be the case, it is impossible to predict what the consequences may be.

The issue was initially reported on the OpenBazaar GitHub a few days ago. The person responsible for discovering this flaw also wrote a very simple script that could exploit this opportunity. As it turns out, it would not take an assailant much effort to pull off a man-in-the-middle attack during the update process.

What is even more disconcerting is how this exploit can be used on every operating system and platform, albeit it was only tested on OS X 10.11.4 so far. It also does not matter what hardware is used to run OpenBazaar, as this is a software-side exploit that works in the same manner for every device. Moreover, this vulnerability can always be reproduced, and the OpenBazaar developers have issued a hotfix earlier today.

http://www.newsbtc.com/2016/06/03/openbazaar-man-middle-attack-vector/
Jump to: