A now-patched critical vulnerability in OpenSea, the world’s
largest non-fungible token (NFT[1]) marketplace, could’ve
been abused by malicious actors to drain cryptocurrency funds from
a victim by sending a specially-crafted token, opening a new attack
vector for exploitation.
The findings come from cybersecurity firm Check Point Research,
which began an investigation into the platform following public
reports of stolen cryptocurrency wallets triggered by free
airdropped NFTs. The issues were fixed in less than one hour of
responsible disclosure on September 26, 2021.
“Left unpatched, the vulnerabilities could allow hackers to
hijack user accounts and steal entire cryptocurrency wallets by
crafting malicious NFTs,” Check Point researchers said[2].
As the name indicates, NFTs are unique digital assets such as
photos, videos, audio, and other items that can be sold and traded
on the blockchain, using the technology as a certificate of
authenticity to establish a verified and public proof of
ownership.
The modus operandi of the attack relies on sending victims a
malicious NFT that, when clicked, results in a scenario whereby
rogue transactions can be facilitated through a third-party wallet
provider simply by providing a wallet signature to connect their
wallets and perform actions on the targets’ behalf. “Users should
be hyper-aware of what they sign on OpenSea, as well as other NFT
platforms, and whether it correlates with expected actions,” the
researchers said.
OpenSea said it hasn’t identified any instances where this
vulnerability was exploited in the wild but added it’s working with
third-party wallet services to “help users better identify
malicious signature requests, as well as other initiatives to help
users thwart scams and phishing attacks with greater efficacy.”
“Blockchain innovation is fast-underway and NFTs are here to
stay. Given the sheer pace of innovation, there is an inherent
challenge in securely integrating software applications and crypto
markets,” said Oded Vanunu, head of products vulnerabilities
research at Check Point. “Bad actors know they have an open window
right now to take advantage of, with consumer adoption spiking,
while security measures in this space still need to catch up.”