Opensea and CPR: how to avoid malicious NFTs

By Raffaele Redi

The world’s largest NFT marketplace, OpenSea, said it had patched critical security flaws.

The OpenSea logo as displayed on a smartphone                                 
OpenSea and Check Point Research have warned collectors against malicious NFTs – Photo: Shutterstock.

The world’s largest NFT marketplace, OpenSea, has revealed in a blog post that it has patched critical security flaws recently identified by Check Point Research (CPR).

According to the cyber security firm’s own blog, malicious NFTs could be introduced by attackers on the NFT platform to steal the funds from cryptocurrency wallets.

CPR investigated OpenSea after users reported falling victim to attacks triggered by malicious NFTs. These attacks ultimately did not leverage a vulnerability within OpenSea but led to the discovery of a security flaw within the platform.

“Left unpatched, the vulnerabilities could allow hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs,” CPR said.

How do malicious NFTs work?

According to CPR’s experts, malicious NFTs come to victims as gifts. As users accept them, they allow attackers to connect to and consequently access their wallets and steal funds. The following is an example of such a suspicious transaction:

  1. Hacker creates and gifts a malicious NFT to a targeted victim.
  2. Victim views the malicious NFT, triggering a pop-up message from OpenSea’s storage domain, requesting connection to the victim’s cryptocurrency wallet (such popups are common on the platform through various other activities).
  3. Victim clicks to connect their wallet to perform an action on the gifted NFT, thus enabling access to the victim’s wallet.
  4. Hackers can obtain the money in the wallet by triggering an additional popup, which is also sent from OpenSea’s storage domain. The user may click on the popup if they fail to spot the notice in the popup describing the transaction.
  5. The result could be theft of a user’s entire cryptocurrency wallet.
Example of a potential attack vector
Attack example provided by OpenSea – Photo:

How to protect from a malicious NFT?

CPR recommends being careful when receiving requests to sign wallets online. Before approving any request, users should carefully review what is being asked for, and consider whether the request is abnormal or suspicious. Users should reject any suspicious requests and examine them further, before providing any authorisation.

The Opensea platform added: “Users should note that OpenSea does not request wallet signatures for viewing or clicking third-party photos or links. Such activity is highly suspicious and users should not sign transactions that are unrelated to the specific actions on OpenSea listed above.”

Did OpenSea fix it?

Opensea said it has fixed the issue and verified the fix was effective.

“CPR worked closely and collaboratively with us to ensure the fix worked correctly. We also worked diligently to analyse relevant reports from OpenSea users who indicated they might have been exploited by a malicious NFT. However, we have yet to identify a single instance where a malicious file was leveraged,” it concluded.

The material provided on this website is for information purposes only and should not be regarded as investment research or investment advice. Any opinion that may be provided on this page is a subjective point of view of the author and does not constitute a recommendation by Currency Com Bel LLC or its partners. We do not make any endorsements or warranty on the accuracy or completeness of the information that is provided on this page. By relying on the information on this page, you acknowledge that you are acting knowingly and independently and that you accept all the risks involved.
iPhone Image
Trade the world’s top tokenised stocks, indices, commodities and currencies with crypto or fiat
iMac Image
Trade the world’s top tokenised stocks, indices, commodities and currencies with crypto or fiat
iMac Image