OpenBazaar is one of those Bitcoin-based projects which has gained a tremendous following right off the bat. By letting anyone run their own decentralized marketplace and accept Bitcoin payments, this solution will take ecommerce to a whole new level. But as it turns out, there is a man-in-the-middle attack opportunity during the update process.
When OpenBazaar users conduct an update, the process is completed within the browser itself. Instead of using a HTTPS connection, the protocol uses standard HTTP connectivity. This leaves the door open for a man-in-middle attack, which could create a fake JSON update response.
OpenBazaar Man-in-the-middle Attack
To put this into perspective, a malicious JSON update reply could trick OpenBazaar users into downloading a fake payload. If the platform conducting the update does not enforce code signing, a hacker would theoretically be able to execute remote code. If that were to be the case, it is impossible to predict what the consequences may be.
The issue was initially reported on the OpenBazaar GitHub a few days ago. The person responsible for discovering this flaw also wrote a very simple script that could exploit this opportunity. As it turns out, it would not take an assailant much effort to pull off a man-in-the-middle attack during the update process.
What is even more disconcerting is how this exploit can be used on every operating system and platform, albeit it was only tested on OS X 10.11.4 so far. It also does not matter what hardware is used to run OpenBazaar, as this is a software-side exploit that works in the same manner for every device. Moreover, this vulnerability can always be reproduced, and the OpenBazaar developers have issued a hotfix earlier today.
Judging by the GitHub comments, the developers were aware of this potential issue before it was reported. It is good to see them actively tweak the OpenBazaar software package around the clock, as exploit like this could have caused serious harm in the long run. After all, the assailant only needed the IP address of the target machine to try and execute this man-in-the-middle attack.
Header image courtesy of Shutterstock