Bitcoin Shoplifting: Hacking Openbazaar 1.0
As part of my research into P2P software, I decided to give OpenBazaar (1.0) a quick look over to see if I could catch any security issues. (This was not an audit, just a short examination).
One of the first places I checked for security flaws was OpenBazaar's back-end API server (which comes with the desktop client), which uses HTTP. I examined the API server for CSRF issues, because in my experience other native software that uses web technologies suffer from them.
OB 1.x did have authentication for the API server, but in the later version(s) it whitelisted localhost. What could be wrong with no authentication from localhost? After all, that means the attacker would already be in control of the computer, right? Well, not necessarily.
The Exploit
A mere 2 lines of code added in early 2017 removed the authentication requirement for localhost. The developer(s) had apparently forgotten that the “same origin” policy in web browsers does not restrict requests from taking place, just merely reading the responses of the requests. With this flaw, I realized that just by sending a victim a link, an attacker could perform any action available in the rest API, without any indication to the victim, using CSRF. This attack could take place without any attacker-victim interaction/communication, assuming the attacker were in a position to perform an injection attack or otherwise load malicious code into the user's browser. To extract data from the API, the attack would need to be paired with a DNS rebinding exploit.
Consequences
Control of the API allows an attacker to change the victim's client settings (including Bitcoin addresses, libbitcoin server URL, & profile settings) , add and remove moderators, create/delete/change contracts, broadcast messages, interact with dispute cases (such as forcing a moderators decision or fee) and snoop the user's purchase history, along with other things.
There was a strong possibility for this exploit to be used to steal Bitcoin from OpenBazaar users, such as by manipulating what libbitcoin server their client used. If this had been exploited en masse, it could have resulted in significant disruptions and theft.
I reported this vulnerability on July 6th 2017, and the OpenBazaar team opted to not release a fix, as OpenBazaar 2 was nearing completion. This was disappointing, since in my opinion this was critical enough to warrant a quick patch for 1.x, although I understand why they did not want to devote any more time to developing 1.x. OpenBazaar 2.0 was taken out of beta on November 1st, 2017, thus from approximately May 2017 to November 2017, anyone using OpenBazaar 0.2.6 was vulnerable.
Like some of my previous research in other software, this exploit demonstrates how web technologies introduce their own class of vulnerabilities into software, and developers commonly overlook CSRF against localhost. Never overlook the threat of CSRF and DNS rebinding attacks on localhost or LAN. I checked for a similar vulnerability in OpenBazaar 2.0, but did not find one. OpenBazaar 2.0 seems to be designed more securely overall than 1.0.