|
Title: [2016-06-03] OpenBazaar Developers Fix Man-in-the-middle Attack Vector Post by: trinaldao on June 03, 2016, 04:17:07 PM OpenBazaar Man-in-the-middle Attack
To put this into perspective, a malicious JSON update reply could trick OpenBazaar users into downloading a fake payload. If the platform conducting the update does not enforce code signing, a hacker would theoretically be able to execute remote code. If that were to be the case, it is impossible to predict what the consequences may be. The issue was initially reported on the OpenBazaar GitHub a few days ago. The person responsible for discovering this flaw also wrote a very simple script that could exploit this opportunity. As it turns out, it would not take an assailant much effort to pull off a man-in-the-middle attack during the update process. What is even more disconcerting is how this exploit can be used on every operating system and platform, albeit it was only tested on OS X 10.11.4 so far. It also does not matter what hardware is used to run OpenBazaar, as this is a software-side exploit that works in the same manner for every device. Moreover, this vulnerability can always be reproduced, and the OpenBazaar developers have issued a hotfix earlier today. http://www.newsbtc.com/2016/06/03/openbazaar-man-middle-attack-vector/ |