Rarible NFT Marketplace Flaw Could’ve Let Attackers Hijack Crypto Wallets

Cybersecurity researchers have disclosed a now-fixed security
flaw in the Rarible non-fungible token (NFT) marketplace that, if
successfully exploited, could have led to account takeover and
theft of cryptocurrency assets.

“By luring victims to click on a malicious NFT, an attacker can
take full control of the victim’s crypto wallet to steal funds,”
Check Point researchers Roman Zaikin, Dikla Barda, and Oded Vanunu
said^[1]
in a report shared with The Hacker News.

Rarible, an NFT marketplace that enables users to create, buy,
and sell digital NFT art like photographs, games, and memes, has
over 2.1 million active users.

“There is still a huge gap between, in terms of security,
between Web2 and Web3 infrastructure,” Vanunu, head of products
vulnerabilities research at Check Point, said in a statement shared
with The Hacker News.

“Any small vulnerability can possibly allow cyber criminals to
hijack crypto wallets behind the scenes. We are still in a state
where marketplaces that combine Web3 protocols are lacking from a
security perspective. The implications following a crypto hack can
be extreme.”

The attack modus operandi hinges on a malicious actor sending a
link to a rogue NFT (e.g., an image) to potential victims that,
when opened in a new tab, executes arbitrary JavaScript code,
potentially allowing the attacker to gain complete control over
their NFTs by sending a setApprovalForAll request to the
wallet.

The setApprovalForAll API^[2]
allows a marketplace (in this case, Rarible) to transfer sold items
from the seller’s address to the buyer’s address based on the
implemented smart contract.

“This function is very dangerous by design because this may
allow anyone to control your NFTs if you get tricked into signing
it,” the researchers pointed out.

“It’s not always clear to users exactly what permissions they
are giving by signing a transaction. Most of the time, the victim
assumes these are regular transactions when in fact, they were
giving control over their own NFTs.”

In granting the request, the fraudulent scheme effectively
permits the adversary to transfer all the NFTs from the victim’s
account, which can then be sold by the attacker on the marketplace
for a higher price.

As safeguards, it’s recommended that users carefully scrutinize
transaction requests prior to providing any kind of authorization.
Previous token approvals can be reviewed and revoked by visiting
Etherscan’s Token Approval Checker^[3]
tool.

“NFT users should be aware that there are various wallet
requests – some of them are used just to connect the wallet, but
others may provide full access to their NFTs and Tokens,” the
researchers said.