- Hackers exploited the pop-up functions on the OpenSea website stealing directly from users’ crypto wallets.
- OpenSea has been working with Check Point on the matter and doubling down its efforts to educate users about security matters.
In less than a month of accepting insider trading, the biggest NFT marketplace OpenSea is yet again under suspicion. The Ethereum-based NFT marketplace has been facing a major security vulnerability as per researchers from Check Point Software.
The researchers stated that the vulnerability allowed hackers to steal users’ entire crypto wallets. As said, OpenSea has been the biggest marketplace for buying, selling, and trading NFTs and other digital collectibles.
CheckPoint came across the vulnerability for the first time following reports of stolen crypto wallets triggered by airdropped NFTs. The Check Point researchers later discovered critical security issues “that, if exploited, could have led hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs”.
The OpenSea security vulnerability
The attack method on OpenSea involved a very simple way of creating an NFT with a malicious payload. Then it was just about waiting for the victim to take the bait and view the malicious NFT art.
Later, several users reported seeing empty crypto wallets after receiving gifts on the OpenSea marketplace. Thus, it was nothing but a marketing tactic dubbed “airdropping” used to promote new virtual assets. The attack basically relied on users’ inattention and the fact that OpenSea generates a lot of pop-ups.
Whenever the victim received and viewed a malicious NFT sent by the hacker, it would trigger a pop-up from OpenSea’s storage domain. Later it would request a connection to the victim’s crypto wallet. Once the victim clicked the pop-up, it would give the hacker access to their crypto wallet while allowing them to generate another pop-up.
When the victim would further click on it without noticing the transaction note, the hacker would completely steal all their holdings.
Observations by Check Point researchers
The researchers at Check Point decided to take a closer look at how the platform works to unearth the vulnerabilities. OpenSea supports several third-party crypto wallets one of the popular ones being MetaMask.
Using this, researchers found that any action in the account requires communication with the wallet. Even the action of liking art in the system requires a wallet sign-in request. In its official blog post, Check Point noted:
In our attack scenario, the user is asked to sign with their wallet after clicking an image received from a third party, which is unexpected behavior on OpenSea, since it does not correlate to services provided by the OpenSea platform, like buying an item, making an offer, or favoring an item.
However, it seemed that a lot of things had to go wrong in order for the attack to work. Check Point researchers informed OpenSea about their findings on September 26. The two parties have collaborated to address this issue at hand. OpenSea said that it has implemented a fix “within an hour of it being brought to our attention”. OpenSea further said that it’s “doubling down on community education around security”.