OpenSea fixes vulnerabilities that have potentially exposed users’ identities
Defunct token marketplace OpenSea has reportedly patched a vulnerability that, if exploited, could have exposed identifying information about its anonymous users.
In a March 9 blog post, cybersecurity firm Imperva described how it discovered the vulnerability, which it claimed could de-anonymize OpenSea users “by linking an IP address, a browser session, or an email under certain conditions” to an NFT.
As the NFT corresponds to a cryptocurrency wallet address, a user’s real identity can be revealed from the information collected and associated with the wallet and its activity, Imperva explained.
The exploit is understood to have taken advantage of a cross-site search vulnerability. Imperva claimed that OpenSea had misconfigured a library that resizes web page elements that load HTML content from other locations that are typically used to place ads, interactive content, or embedded videos.
Since OpenSea did not limit this library’s communications, exploiters could use the information it broadcasts as an “oracle” to limit when searches yield no results, as the web page would be smaller.
Imperva detailed that an attacker would send their target a link via email or SMS, which if clicked “reveals valuable information, such as the target’s IP address, user agent, device details and software versions.”
The attacker would then use OpenSea’s vulnerability to extract the target’s NFT names and associate the corresponding wallet address with identifying information such as an email or phone number sent to the original link.
Imperva said that OpenSea “quickly resolved the issue” and appropriately restricted the library’s communications, reporting that the platform was “no longer vulnerable to such attacks.”
Related: The security team creates dashboards to detect potential NFT hacks in OpenSea
Users of the platform have long been victims of attacks that mimic OpenSea’s features to perform exploits, such as phishing websites that resemble the platform or signature requests that appear to originate from OpenSea.
OpenSea itself has faced criticism for its platform security due to a major phishing attack in February 2022 that resulted in $1.7 million worth of NFTs being stolen from users.
As for the recent update, it is unknown how long it has been around or if any users have been affected by the exploit.
OpenSea did not immediately respond to Cointelegraph’s request for comment.
