A now patched critical vulnerability in OpenSea, the world’s largest non-fungal token (NFT) market, could have been abused by malicious actors to drain cryptocurrency from a victim by sending a custom-made token and opening a new attack vector for exploitation.
The findings come from cybersecurity firm Check Point Research, which launched an investigation into the platform following public reports of stolen cryptocurrency wallets triggered by free airdropped NFTs. The issues were resolved in less than an hour of responsible publication on September 26, 2021.
“The vulnerabilities cannot be hacked, so hackers can hijack user accounts and steal entire cryptocurrency wallets by creating malicious NFTs,” said Check Point researchers.
As the name suggests, NFTs are unique digital assets such as photos, videos, audio and other goods that can be sold and traded on the blockchain, using the technology as a certificate of authenticity to establish a verified and public proof of ownership.
The modus operandi of the attack relies on sending victims a malicious NFT that, when clicked, results in a scenario where junk transactions can be facilitated through a third-party wallet provider by simply providing a wallet signature to connect their wallets and perform actions on targets on behalf. “Users should be hyper-aware of what they are signing up on OpenSea, as well as other NFT platforms, and whether it correlates with expected actions,” the researchers said.
OpenSea said it has not identified any cases where this vulnerability was exploited in nature, but added that it is working with third-party wallet services to “help users better identify malicious signature requests as well as other initiatives to help users combat fraud” and more effective phishing attacks. “
“Blockchain innovation is fast approaching and NFTs are here to stay. Given the tremendous pace of innovation, there is an inherent challenge in the secure integration of software applications and crypto markets,” said Oded Vanunu, Head of Product Vulnerability Research at Check Point. “Bad actors know they have an open window right now to take advantage of consumer adoption, while security measures in this space still need to catch up.”