OpenSea, the largest digital marketplace for collectibles and non-fungible tokens (NFTs), patched a vulnerability that could have left collectors to lose hundreds of thousands of dollars worth of NFTs.
During the past few weeks, Check Point Research (CPR) spotted various cases where people tweeted reports claiming they lost their crypto wallet balance, while receiving a free gift on the OpenSea marketplace. Moreover, several reports surfaced claiming digital wallets of merchants disappeared, leaving collectors to lose hundreds of thousands of dollars worth of NFTs.
“The reports speculated that an attack could start when you receive a free gift from a stranger or a link to OpenSea art. The reports further speculated that by accepting the gift or pressing on the link to OpenSea, the receiver loses all his cryptocurrencies,” CPR research reads.
Therefore, CPR decided to look for vulnerabilities within the platform, which could have allowed scammers and hackers to hijack accounts and steal the cryptocurrencies from the digital wallets.
Researchers discovered critical vulnerabilities on the OpenSea platform. If hackers were to exploit them, they could have hijacked user accounts and stolen their crypto wallets just by sending malicious NFTs. CPR disclosed vulnerabilities to the marketplace, which implemented fixes within an hour from disclosure.
“OpenSea fixed the vulnerability within an hour of receiving CPR’s findings. We additionally collaborated with Jay Niffley, an independent security researcher, who reported a related vulnerability to the storage.opensea.io domain. In total, we analyzed over 73 million objects, 4.4 million SVG files, finding only 77 that were potentially related to the vulnerability and confirming they were not malicious. We shared these 77 SVG files that had characteristics of the vulnerability from our storage domain with CPR, and all vulnerability vectors were confirmed closed by CPR,” OpenSea claims.
OpeanSea recorded $3.4 billion in transaction volume in August 2021 alone.
OpenSea has also publicly shared this information with their users, claiming that a vulnerability that was brought to their attention “reinforces how important it is to stay informed and follow security best practices while navigating the NFT space–or anywhere online.”
OpeanSea claims there are no known victims, and the reported attacks mentioned by Check Point did not leverage a vulnerability within OpenSea.
Here’s what a theoretical attack using the vulnerability would have looked like:
- A hacker creates and transfers a malicious gift NFT, which includes an SVG file, to a target victim. For context, a SVG (Scalable Vector Graphics) is a type of image on the web that can be interactive and run scripts.
- The victim right-clicks the image from the malicious NFT and opens it in a new tab or window, which triggers a pop-up from a third-party wallet provider from the OpenSea storage domain (i.e. storage.opensea.io) requesting a connection to the victim’s third-party wallet. This is an abnormal event because third-party images on OpenSea do not result in a request for a wallet connection.
- The victim then can choose to click to connect their third-party wallet.
- If the victim connects their wallet, he will then be presented with a final pop-up (depicted further below in this blog) asking to sign a transaction that will transfer items or funds to the attacker. An informed user may recognize the threat and mitigate it by rejecting the transaction instead of signing it.
- However, if the victim had not recognized the threat and performed the above actions, the end result is the potential theft of assets in the user’s wallet.
More from CyberNews:
We've seen just the tip of the Mēris botnet iceberg
MLN, an Australian IT vendor, has its customer database leaked
Google warns 14,000 Gmail users: government-backed attackers may be trying to steal your password
Here are the worst bits of malware in 2021
What has the UK’s Weir Group cyber-attack taught us?
Subscribe to our newsletter
Your email address will not be published. Required fields are markedmarked