- Vulnerabilities in its system almost endanger OpenSea’s users.
- A cybersecurity firm, Imperva, details how the vulnerability in OpenSea was created.
- OpenSea acts fast in the face of possible chaos.
A cybersecurity firm named Imperva reportedly found a vulnerable spot in OpenSea that could potentially cause a leak in customer information.
NFT marketplace, OpenSea, has patched up the vulnerability, which, if left for too long, could expose the identity of its users, like their phone numbers, Email addresses, and other information that could have stripped them of their anonymity.
The cybersecurity firm that discovered the vulnerability detailed how it found the leak in a blog post last week, stating that the users of NFT marketplace OpenSea could be compromised if an IP address was linked or a browser session or an email in certain circumstances to an NFT.
NFTs are also linked to a crypto wallet address, and a user’s real identity could be quickly revealed from the information gathered and could then be linked to the wallet and its activity.
Imperva claims that the vulnerability was gotten from taking advantage of a cross-site search vulnerability, and OpenSea had allegedly misconfigured a library that helps in resizing webpage elements that also help in loading HTML contents from another source is typically used to place ads, interactive content, and embedded videos.
OpenSea decision to not restrict the library’s communications could allow exploiters to use the information it broadcasts as an oracle to aid in narrowing down when searches return no results, as it would make the webpage smaller.
The cybersecurity firm also added that an attacker could send their target link with the use of sms or emails, which, if clicked by a user, could reveal important information on the user, like their IP address, user agent software versions, and other things like their device details.
When all these are obtained, an attacker could then go ahead to make use of OpenSea’s vulnerability to exploit and extract the NFT identities of their targets and associate them with their wallet addresses with identifying information like their email or phone numbers which were previously obtained through the link clicked by the user.
OpenSea quickly addressed the vulnerability in their system and patched it up by properly restricting communication for the library and ensuring that the NFT marketplace was safe from the risk of such attacks.
OpenSea’s users have previously been victims of copycat attacks that mimic OpenSea’s functionality to exploit users with phishing websites that look precisely like OpenSea or by sending in Signature requests that seem like they originated from OpenSea.
OpenSea’s quick response to the information of a vulnerability in its system saved it from the chaos that could have ensued if exploiters succeeded in using users’ data to access their wallets. It would have led to another attack on users and created another wave of hacks in the web three space.
OpenSea had previously faced criticism for its lack of security when a significant phishing attack in February last year wiped over $1.7 million worth of NFTs from its users.
It is unclear if this recent vulnerability resulted in any loss for users, but OpenSea quickly fixed the vulnerability.