Friday, March 24, 2023
Home Events Attackers can reveal identities of those using the largest NFT marketplace, research...

Attackers can reveal identities of those using the largest NFT marketplace, research finds

Audio player loading…

OpenSea, arguably the world’s most popular marketplace for non-fungible tokens (NFT) was carrying a vulnerability that allowed hackers to deanonymize users and possibly even reveal their full identities. 

This is according to a new report from cybersecurity researchers part of the Red Team at Imperva (opens in new tab), who notified OpenSea, and later confirmed that the vulnerability had been properly addressed.

In a blog post detailing the findings, Imperva’s researchers said that the OpenSea website carried a cross-site search vulnerability, as it didn’t restrict cross-origin communication. At the root of the problem was the iFrame-resizer library.

Exposing NFT owners

The researchers explained: “The iFrame-resizer library broadcasts the width and height of the page, which can be used as an “oracle” to determine when a given search returns results because the page is smaller when a search returns zero results. By continuously searching the user’s assets, which is done cross-origin through a tab or popup, an attacker can leak the name of an NFT created by the user, thereby revealing their public wallet address. This information can associate the user’s identity (opens in new tab) with the leaked NFT and public wallet address.” 

As a result, the victims might have their identities exposed, the researchers concluded.

To exploit the flaw, an attacker could send a link to the victim, be it via email, SMS, or any other communication channel. By clicking on the link, the victim reveals valuable information such as IP address, user agent, device details, software versions, ad similar.

Next, the attacker would exploit the cross-site search vulnerability to extract one of the target’s NFT names. And by associating the leaked NFT/public wallet address with the target, the attacker might expose the victim’s true identity.

After disclosing the flaw to the marketplace, OpenSea “quickly” released a patch, the researchers said. The flaw was addressed by restricting cross-origin communication, thus mitigating the risk of further exploitation, they concluded.

- Advertisment -

Most Popular

Utah signs first U.S. state law aimed at limiting teens’ social media access

Utah became the first U.S. state Thursday to sign into law legislation that attempts to limit teenagers’ access to social media sites. Republican Gov. Spencer...

PayPal’s bringing its passkey logins to Android

/ The company is expanding the number of customers who can use the tech that’s supposed to replace passwords. Image: PayPalAndroid users should...

Editorial: Why does the government hate Canadian technology publishing?

As chief content officer, I’ve avoided editorials. I have my own blog for personal opinions. The rule in our publications has always been, “how...

At Roxham Road, migrants reach uncertain ends to harrowing journeys: ‘They’re scared’

At a small, unofficial border crossing at Roxham Road separating Quebec and New York state in mid-March, a group of migrants encounters an RCMP officer...