Vulnerability in OpenSea | Alterdraft

Researchers from Imperva's Red Team have discovered a vulnerability in OpenSea, the largest marketplace for non-fungible tokens (NFTs), which could enable attackers to uncover the identities of its users.

Security

Vulnerability in OpenSea

blog details
  • Security

Vulnerability in OpenSea

  • 13/06/2023, 12:16
  •   /  Admin
  •   /  420

Researchers from Imperva's Red Team have discovered a vulnerability in OpenSea, the largest marketplace for non-fungible tokens (NFTs), which could enable attackers to uncover the identities of its users.

After notifying OpenSea, the researchers confirmed that the vulnerability had been effectively resolved.

Use qr-code-generator to generate qr code for free https://alterdraft.com/qr-code-generator

The cybersecurity experts outlined their findings in a blog post, revealing that the OpenSea website contained a cross-site search vulnerability due to its lack of restrictions on cross-origin communication. The root cause of the issue was identified as the iFrame-resizer library.

The researchers explained that the iFrame-resizer library transmitted the page's width and height, allowing it to serve as an "oracle" to determine when a search query produced results. When the search yielded no results, the page would be smaller. By continually conducting searches on a user's assets across different origins through a tab or popup, an attacker could deduce the name of an NFT created by the user, thereby exposing their public wallet address. This information could then be used to link the user's identity with the leaked NFT and public wallet address. Ultimately, this flaw could lead to the exposure of victims' identities.

To exploit the vulnerability, an attacker would need to send a link to the victim through channels like email or SMS. Clicking on the link would inadvertently disclose valuable information, including IP address, user agent, device details, software versions, and similar data.

Subsequently, the attacker would leverage the cross-site search vulnerability to extract one of the target's NFT names. By connecting the leaked NFT/public wallet address with the targeted user, the attacker could potentially reveal the victim's true identity.

OpenSea promptly addressed the flaw upon being informed by the researchers. The marketplace released a patch that restricted cross-origin communication, effectively reducing the risk of further exploitation.

Tags :

Find a Plan
That's Right For You

Icon

Beginners FREE

Use Alterdraft online services for free.

What is included

3 animation exports / day

Timeline up to 5 seconds

Basic animators




$0.00
Icon

Standard

Enjoy more features.

What is included

10 animation exports / day

Timeline up to 10 seconds

Advanced animators




$5 /mo
Icon

Premium

Use all abilities

What is included

Unlimited exports

Timeline up to 30 seconds

Advanced animators

Interactive animation options




$10 /mo

Subscribe For Update

Thank you for your interest in our service