Arguably the world’s most popular marketplace for non-fungible tokens (NFTs), OpenSea had a vulnerability that allowed hackers to de-anonymize users and in some cases even reveal their full identities. rice field.
That’s according to a new report from a cybersecurity researcher on Imperva’s red team. (opens in new tab) we notified OpenSea and later confirmed that the vulnerability was properly addressed.
In a blog post detailing their findings, Imperva researchers said OpenSea’s website has a cross-site search vulnerability because it does not restrict cross-origin communication. At the root of the problem was the iFrame-resizer library.
Exposure of NFT owners
A researcher explains: Attacker leaks the name of her user-created NFTs by continuously searching the user’s assets, done cross-origin via tabs or popups, thereby revealing her wallet address to the public can do.This information can be associated with your identity (opens in new tab) Using leaked NFTs and public wallet addresses”
As a result, the victim’s identity may be revealed, researchers conclude.
To exploit this vulnerability, an attacker could send a link to the victim via email, SMS, or other communication channel. By clicking on the link, the victim reveals valuable information such as her IP address, user her agent, device details, software version, similar advertisements and so on.
The attacker then exploits a cross-site search vulnerability to extract one of the target’s NFT names. Also, by associating her leaked NFT/public wallet address with the target, the attacker could reveal the identity of the victim.
After publicizing the vulnerability in the market, OpenSea released a patch “quickly,” the researchers said. They concluded that the vulnerability was resolved by restricting cross-origin communication, thus reducing the risk of further exploitation.