OpenSea vulnerability allowed hackers to deanonymize users
OpenSea, the world’s most popular marketplace for non-fungible tokens (NFT), was found to have a vulnerability that allowed hackers to deanonymize users and possibly reveal their full identities, according to cybersecurity researchers from Imperva. The researchers notified OpenSea, and the vulnerability was later confirmed and addressed.
The researchers found that the OpenSea website carried a cross-site search vulnerability, as it didn’t restrict cross-origin communication. The iFrame-resizer library was at the root of the problem.
Exposing NFT owners
The iFrame-resizer library broadcasts the width and height of the page, which can be used as an “oracle” to determine when a given search returns results because the page is smaller when a search returns zero results. By continuously searching the user’s assets, which is done cross-origin through a tab or popup, an attacker can leak the name of an NFT created by the user, thereby revealing their public wallet address. This information can associate the user’s identity with the leaked NFT and public wallet address.
As a result, the victims might have their identities exposed, the researchers concluded.
To exploit the flaw, an attacker could send a link to the victim, be it via email, SMS, or any other communication channel. By clicking on the link, the victim reveals valuable information such as IP address, user agent, device details, software versions, ad similar.
Next, the attacker would exploit the cross-site search vulnerability to extract one of the target’s NFT names. And by associating the leaked NFT/public wallet address with the target, the attacker might expose the victim’s true identity.
After disclosing the flaw to the marketplace, OpenSea “quickly” released a patch, the researchers said. The flaw was addressed by restricting cross-origin communication, thus mitigating the risk of further exploitation, they concluded.
- Here’s our list of the best anonymous browsers at the moment