OpenSea patches vulnerability that potentially exposed users’ identities

Nonfungible token (NFT) marketplace OpenSea has reportedly patched a vulnerability that, if exploited, could exposure identifying accusation astir its anonymous users. 

In a Mar. 9 blog, cybersecurity steadfast Imperva elaborate however it discovered the vulnerability which it claimed could deanonymize OpenSea users “by linking an IP address, a browser session, oregon an email successful definite conditions” to an NFT.

As the NFT corresponds to a cryptocurrency wallet address, a user’s existent individuality could beryllium revealed from the accusation gathered and linked to the wallet and its activity, explained Imperva.

The exploit is understood to person taken vantage of a cross-site hunt vulnerability. Imperva claimed OpenSea had misconfigured a room that resizes webpage elements that load HTML contented from elsewhere which are typically utilized to spot ads, interactive content, oregon embedded videos.

As OpenSea didn’t restrict this library’s communications, exploiters could usage the accusation it broadcasts arsenic an “oracle” to constrictive down erstwhile searches instrumentality nary results arsenic the webpage would beryllium smaller.

Imperva elaborate that an attacker would send their people a link done email oregon SMS which if clicked “reveals invaluable information, specified arsenic the target’s IP address, idiosyncratic agent, instrumentality details, and bundle versions.”

Screenshot of OpenSea's beforehand page. Source: OpenSea

The attacker would past usage OpenSea’s vulnerability to extract the NFT names of their people and subordinate the corresponding wallet code with identifying accusation specified arsenic an email oregon telephone fig which was sent the archetypal link.

Imperva said OpenSea “quickly addressed the issue” and decently restricted the library’s communications and reported the level “was nary longer astatine hazard of specified attacks.”

Related: Security squad creates dashboard to observe imaginable NFT hacks successful OpenSea

Users of the level person agelong been victims of attacks that mimic OpenSea’s functions to undertake exploits, specified arsenic phishing websites that lucifer the level oregon signature requests appearing to originate from OpenSea.

OpenSea itself has faced criticism for its level information owed to a major phishing attack successful February 2022 that resulted successful implicit $1.7 cardinal worthy of NFTs being stolen from users.

As for the caller patch, it’s chartless however agelong it existed oregon if immoderate users had been affected by the exploit.

OpenSea did not instantly respond to Cointelegraph’s petition for comment.