NFT marketplace OpenSea recently addressed a vulnerability in their code that could be exploited to leak user data. 

Imperva Detects OpenSea Vulnerability

On March 9, cybersecurity firm Imperva pointed out a vulnerability in the OpenSea platform. The firm published a blog post detailing its findings and claimed that the vulnerability posed serious security threats to user data. Malicious actors could exploit the bug to uncover personal information about users, like their phone numbers and email IDs. 

The team tweeted, 

“Imperva Red Team discovered a cross-site search vulnerability affecting the NFT marketplace OpenSea.”

This vulnerability allows for the deanonymization of users, potentially revealing a user’s identity.

According to the report, anonymous OpenSea users could be unveiled by manipulating this bug and linking an IP address, a browser session, or even an email to an NFT. As a result, anonymous buyers can risk having their identity exposed if the corresponding crypto wallet address is revealed in connection to the information gathered from the identifying address. 

Root-Cause – Library Misconfiguration

The report further analyzes the root cause of the matter, identifying the misconfiguration of the iFrame-resizer library used by the NFT platform, which caused the cross-site search vulnerability. This means the platform had misconfigured a library that resizes webpage elements loading HTML content from elsewhere. 

This feature is used to place ads, interactive content, or embedded videos. Since the OpenSea platform had not restricted this library’s communications, it would be easy for hackers and other malicious actors to manipulate the broadcasted information and use it as an “oracle” to pinpoint targets. 

They could then send the target a link through email or SMS. If the target clicks on the link, their personal information, including their IP address, user agent, device details, and software versions, will be revealed. The email address and phone number could have acted as the identifying markets to allow the attacker to access the names of the NFTs connected to the target and their corresponding wallet address. 

OpenSea’s Security Concerns

Reportedly the OpenSea team has addressed the issue by quickly releasing a patch to fix the vulnerability. The Imperva team confirmed that this patch restricts cross-origin communication and will prevent future exploitation, thus successfully addressing the threat. 

However, this is not the first security threat faced by OpenSea. In September 2021, the platform experienced a bug that resulted in the deletion of NFTs worth 28.44 ETH or $100,000. Forward to a year later, in February 2022, OpenSea was targeted by a hacker who had stolen several high-value NFTs from the platform’s users. 

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.