OpenBazaar is one of those Bitcoin-based projects which has gained a tremendous following right off the bat. By letting anyone run their own decentralized marketplace and accept Bitcoin payments, this solution will take ecommerce to a whole new level. But as it turns out, there is a man-in-the-middle attack opportunity during the update process.
When OpenBazaar users conduct an update, the process is completed within the browser itself. Instead of using a HTTPS connection, the protocol uses standard HTTP connectivity. This leaves the door open for a man-in-middle attack, which could create a fake JSON update response.
OpenBazaar Man-in-the-middle Attack
To put this into perspective, a malicious JSON update reply could trick OpenBazaar users into downloading a fake payload. If the platform conducting the update does not enforce code signing, a hacker would theoretically be able to execute remote code. If that were to be the case, it is impossible to predict what the consequences may be.
The issue was initially reported on the OpenBazaar GitHub a few days ago. The person responsible for discovering this flaw also wrote a very simple script that could exploit this opportunity. As it turns out, it would