OpenSea, arguably the world’s most popular marketplace for non-fungible tokens (NFT), contained a vulnerability that allowed hackers to de-anonymize users and potentially reveal their full identities.
That’s according to a new report from cybersecurity researchers who are part of Imperva’s Red Team (opens in new tab)who notified OpenSea and later confirmed that the vulnerability had been properly fixed.
In a blog post describing the findings, the Imperva researchers said the OpenSea website had a cross-site search vulnerability because it did not restrict cross-origin communication. The source of the problem was the iFrame resizer library.
Expose NFT owners
The researchers explained: “The iFrame resizer library broadcasts the width and height of the page, which can be used as an “oracle” to determine when a particular query returns results, because the page is smaller when a query is null. By continuously searching the user’s assets, which is done cross-origin through a tab or pop-up, an attacker could leak the name of a user-created NFT, revealing their public wallet address. This information can link the identity of the user (opens in new tab) with the leaked NFT and public wallet address.”
As a result, the identities of the victims could be revealed, the researchers concluded.
To exploit the flaw, an attacker can send a link to the victim, either via email, SMS or any other communication channel. By clicking the link, victim reveals valuable information such as IP address, user agent, device details, software versions, similar ads.
Then the attacker would exploit the cross-site search vulnerability to extract one of the target’s NFT names. And by associating the leaked NFT/public wallet address with the target, the attacker can reveal the victim’s true identity.
After disclosing the flaw to the market, OpenSea released a patch “quickly,” the researchers said. The flaw was rectified by restricting cross-origin communications, reducing the risk of further exploitation, they concluded.