OpenSea, an Ethereum-based marketplace for nonfungible tokens (NFTs), has reportedly fixed a security flaw that could expose user data to hackers. Cybersecurity company Imperva was the first to uncover and notify OpenSea of the vulnerability.
In a recent blog post, the cybersecurity firm described how it found a security loophole that, under certain circumstances, could de-anonymize OpenSea’s users by connecting an email, IP address, or browser session to an NFT.
Exploiting The Vulnerability
Imperva explained that since an NFT is linked to a crypto wallet address, the information obtained and associated with it and its activities could reveal users’ true identities. It is believed that the exploit targets a cross-site search vulnerability.
Imperva stated that the NFT marketplace had misconfigured a library for resizing webpage elements that load HTML content from external sources to place embedded videos, interactive content, or ads. Unfortunately, OpenSea failed to impose restrictions on the library’s communications.
This would allow exploiters to use the information it broadcasted as an “oracle” to determine when searches returned no results, as the webpage would be smaller in such cases. According to Imperva, an attacker could send their target a link via SMS or email.
When clicked, it would reveal valuable info such as the person’s device details, software versions, user agent, and IP address. Using OpenSea’s vulnerability, the attacker would obtain the names of the NFTs belonging to their target and link the relevant wallet address with personal identifying details, such as a phone number or email which had received the initial link.
According to Imperva, OpenSea promptly resolved the issue and implemented appropriate restrictions on the library’s communications. The good news is that the cybersecurity firm has reported that the platform is no longer vulnerable to such attacks.
NFT Theft On OpenSea Marketplace
For a while, the platform’s users have been targeted by attacks replicating OpenSea’s operations to carry out exploits. These may include fake websites designed to resemble the platform or requests for signatures that appear to come from OpenSea.
OpenSea was scrutinized for its platform security in light of a significant phishing attack in February 2022. This phishing attack resulted in the theft of NFTs worth over $1.7 million.
Meanwhile, it is unclear how long the recently patched vulnerability had existed or whether someone had exploited it to steal users’ data. Last month, the security team responsible for safeguarding wallets unveiled a real-time dashboard for the OpenSea marketplace.
This dashboard empowers community members to identify, monitor, and assess possible hacks using offline signatures. The team revealed that the process is straightforward.
Their approach involves monitoring actual NFT trades in the marketplace and comparing them to the floor price of the NFT collection. If the ratio between the two trade values appears unusually low, the detector will flag it as a possible hack.