OpenSea has fixed the vulnerability by releasing a patch that restricts cross-origin communication.
In 2022, OpenSea had over 1 million registered users and received more than 121 million monthly visitors to its website. This makes OpenSea not only the largest NFT marketplace but also a lucrative target for cybercriminals. Any vulnerability on the platform can turn into an opportunity for malicious actors and spell disaster for unsuspecting users.
One such exploitable vulnerability in the OpenSea NFT marketplace was identified by Imperva researchers.
Vulnerability Details
The Imperva Red Team discovered a vulnerability affecting the world’s largest NFT marketplace, OpenSea. It is a cross-site search (XS-Search) vulnerability that can be exploited by an attacker to obtain a user’s identity.
All the attacker needs to do is link an IP address, an email, or a browser session to a particular NFT (non-fungible token), thus accessing a wallet address that would reveal the user’s identity. This issue is concerning as it deanonymizes OpenSea users.
Exploitation Mechanism
The attacker sends their target a link via different communication channels, e.g. SMS or email. If the victim clicks on this link, valuable data such as their IP address, device details, user agent, and software versions are leaked.
The attacker can then exploit the cross-site search vulnerability to obtain the victim’s NFT name and associate the leaked public/NFT wallet address with this identity such as the phone number or email to which the link was first sent.
What Causes the Issue?
It is caused by the iFrame-resizer library’s misconfiguration, which the $13.3 billion marketplace uses. When this library is used where cross-origin communication isn’t restricted, cross-site search vulnerability occurs. OpenSea didn’t restrict it, which led to this issue.
This misconfiguration lets this flaw prevail and expose user identities. Given the fact that the NFT ecosystem is entirely anonymity-based, this kind of flaw can have serious implications for OpenSea’s business because if exploited the attacker can launch phishing attacks.
Alternatively, they may track users who have purchased the highest-value NFTs. Researchers could determine that the marketplace uses the ElasticSearch tool since it had advertised for ElasticSearch skills in one of its job advertisements.
Watch the PoC of the vulnerability
Understanding a Cross-Site Search Vulnerability:
Also called XS-Search, Cross-Site Search vulnerability is based on the XS-Leaks family of attacks. It is found in web apps that use query-based search mechanisms.
The vulnerability allows an attacker to obtain sensitive information from another origin simply by sending queries and identifying the difference in the search system’s behaviour with it does or doesn’t yield results. The threat actor gathers information by sending numerous queries. Basically, it can extract sensitive information from a web app.
Has it been Fixed?
According to a blog post that Imprava shared with Hackread.com, after the disclosure of the vulnerability, OpenSea fixed it quickly by releasing a patch that restricted cross-origin communication. This mitigated further exploitation of the vulnerability.
However, this does highlight the ongoing challenges businesses are facing in ensuring security in a highly complex application realm where misconfiguration could get easily overlooked and eventually exploited in decentralized applications or dApps.
With the advent and advancement of Web3 and dApps, hordes of new challenges have also appeared. As much as these environments have become popular, the risk of their exploitation has amplified.
Therefore, it is important to remain vigilant and detect inherent flaws and vulnerabilities in a timely manner to prevent the exploitation of these platforms.
RELATED NEWS
- Official Ferrari Subdomain Hijacked to Host NFT Scam
- This AI Can Generate Unique and Free Bored Ape NFTs
- Phishing: NFTs Worth $1.7M Stolen from OpenSea Users
- Hackers steal $18.7m from Animoca’s Lympo NTF market
- NFT Market OpenSea data breach- Users’ email IDs leaked
