OpenSea patches vulnerability that potentially exposed users’ identities
Nonfungible token (NFT) marketplace OpenSea has reportedly patched a vulnerability that, if exploited, could expose identifying information about its anonymous users.
In a Mar. 9 blog, cybersecurity firm Imperva detailed how it discovered the vulnerability which it claimed could deanonymize OpenSea users “by linking an IP address, a browser session, or an email in certain conditions” to an NFT.
As the NFT corresponds to a cryptocurrency wallet address, a user’s real identity could be revealed from the information gathered and linked to the wallet and its activity, explained Imperva.
Imperva Red Team discovered a cross-site search vulnerability affecting the #NFT marketplace #OpenSea.
This vulnerability allows for the deanonymization of users, potentially revealing a user’s identity. https://t.co/nGQWceeGEc
— Imperva (@Imperva) March 9, 2023
The exploit is understood to have taken advantage of a cross-site search vulnerability. Imperva claimed OpenSea had misconfigured a library that resizes webpage elements that load HTML content from elsewhere which are typically used to place ads, interactive content, or embedded videos.
As OpenSea didn’t restrict this library’s communications, exploiters could use the information it broadcasts as an “oracle” to narrow down when searches return no results as the webpage would be smaller.
Imperva detailed that an attacker would send their target a link through email or SMS which if clicked “reveals valuable information, such as the target’s IP address, user agent, device details, and software versions.”
Screenshot of OpenSea’s front page. Source: OpenSea
The attacker would then use OpenSea’s vulnerability to extract the NFT names of their target and associate the corresponding wallet address with identifying information such as an email or phone number which was sent the original link.
Imperva said OpenSea “quickly addressed the issue” and properly restricted the library’s communications and reported the platform “was no longer at risk of such attacks.”
Users of the platform have long been victims of attacks that mimic OpenSea’s functions to undertake exploits, such as phishing websites that resemble the platform or signature requests appearing to originate from OpenSea.
OpenSea itself has faced criticism for its platform security due to a major phishing attack in February 2022 that resulted in over $1.7 million worth of NFTs being stolen from users.
As for the recent patch, it’s unknown how long it existed or if any users had been affected by the exploit.
OpenSea did not immediately respond to Cointelegraph’s request for comment.