The cybersecurity company Imperva discovered a vulnerability that could have been exploited to disclose user information such as email addresses and phone numbers; the vulnerability has since been patched.
OpenSea, a marketplace for nonfungible tokens, is said to have fixed a bug that, if exploited, could have given away information about its anonymous users.
In a blog post published on March 9, cybersecurity company Imperva detailed how it discovered the vulnerability, which it claimed could deanonymize OpenSea users “by linking an IP address, a browser session, or an email in certain conditions” to an NFT.
As the NFT corresponds to a cryptocurrency wallet address, the information gathered and linked to the wallet’s activity could disclose a user’s true identity, as explained by Imperva.
Imperva Red Team discovered a cross-site search vulnerability affecting the #NFT marketplace #OpenSea.
— Imperva (@Imperva) March 9, 2023
This vulnerability allows for the deanonymization of users, potentially revealing a user's identity. https://t.co/nGQWceeGEc
It is believed that the exploit exploited a cross-site search vulnerability. Imperva asserted that OpenSea had incorrectly configured a library that resizes webpage elements that load HTML content from elsewhere and are typically used to embed advertisements, interactive content, or videos.
As OpenSea did not restrict this library’s communications, exploiters could use the information it broadcasts as a “oracle” to narrow down when searches return no results, resulting in a smaller webpage.
According to Imperva, an attacker would send their target an email or SMS containing a link that, when opened, “reveals valuable information such as the target’s IP address, user agent, device details, and software versions.”
more details
The attacker would then exploit the vulnerability in OpenSea to extract the NFT identifiers of their target and associate the wallet address with identifying information such as an email or phone number from which the original link was sent.
Imperva reported that OpenSea “quickly addressed the issue” by restricting the library’s communications and that the platform “was no longer at risk of such attacks.”
Users of the platform have long been the target of assaults that imitate OpenSea’s functions in order to conduct exploits, such as phishing websites that resemble the platform and signature requests that appear to originate from OpenSea.
OpenSea has been criticized for its platform security after a massive phishing attack in February 2022 resulted in the loss of over $1.7 million worth of NFTs from users. Regarding the recent patch, it is uncertain how long the exploit existed or if any users were affected.