OpenSea fixes a major vulnerability that could have leaked your identity
- The loophole at OpenSea, when exploited, could have enabled the attacker to obtain users’ identities.
- OpenSea quickly fixed the problem after the vulnerability came to light.
Cyber security company Imperva discovered a major vulnerability in the popular NFT marketplace OpenSea, which, if successfully exploited, could allow an attacker to obtain the identity of users on the platform.
According to Imperva, the misconfiguration of the iFrame-resizer library used by OpenSea was the main reason behind the vulnerability.
Providing more details on the exploit mechanism for the issue, Imperva stated that the attacker would send a link via email or SMS.
If the victim clicks on the link, important information such as the target’s IP address, user agent, device details and software versions will be retrieved.
Cross-site search vulnerability would then be exploited to obtain the target’s NFT name, and the attacker would then link the leaked NFT/public wallet address to the email or phone number to which the link was originally sent.
However, Imperva’s report mentioned that OpenSea had fixed the problem after it was reported and that the marketplace was no longer vulnerable to such attacks
Tainted Past
OpenSea has faced serious concerns over the platform’s security in the past. In February 2022, it was at the center of one of the biggest hacks in the NFT ecosystem.
During the exploit, $1.7 million worth of NFTs were stolen from users’ wallets. The breach was acknowledged by OpenSea CEO Devin Finzer.
Another update: over the past few hours we’ve spoken to dozens of people, teams and projects across the NFT space.
— Devin Finzer (dfinzer.eth) (@dfinzer) 20 February 2022
In less than three months, the marketplace was hit again then its the discord channel was compromised. The hackers posted a fake YouTube collaboration news that included a link to a phishing website.
The impact of the hacks prompted OpenSea to take some concrete steps to protect its users. Last month, it introduced a three-hour grace period during which sellers will be prevented from accepting offers after a deemed sale.
Trading activity decreases
Meanwhile, OpenSea saw a significant drop in trading activity on the platform since mid-February. Weekly NFT trading plunged 40% as of press time, according to data from Token Terminal.
As a consequence, royalties paid to creators also fell. At the time of writing, the weekly fees on the listings page fell by 40%, which may deter interested creators from putting their work on the market.
OpenSea had been hit hard because of the Blur [BLUR] the storm that swept over the NFT market ecosystem. According to data from Dune Analytics, OpenSea’s share of the total trading volume across all marketplaces was reduced to 26%.
However, it still managed to hold onto a significant portion of its user base and total sales, with a dominance of 62.8% and 51% respectively.