Opensea and CPR: how to avoid malicious NFTs
The world’s largest NFT marketplace, OpenSea, said it had patched critical security flaws.
The world’s largest NFT marketplace, OpenSea, has revealed in a blog post that it has patched critical security flaws recently identified by Check Point Research (CPR).
According to the cyber security firm’s own blog, malicious NFTs could be introduced by attackers on the NFT platform to steal the funds from cryptocurrency wallets.
CPR investigated OpenSea after users reported falling victim to attacks triggered by malicious NFTs. These attacks ultimately did not leverage a vulnerability within OpenSea but led to the discovery of a security flaw within the platform.
“Left unpatched, the vulnerabilities could allow hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs,” CPR said.
How do malicious NFTs work?
According to CPR’s experts, malicious NFTs come to victims as gifts. As users accept them, they allow attackers to connect to and consequently access their wallets and steal funds. The following is an example of such a suspicious transaction:
- Hacker creates and gifts a malicious NFT to a targeted victim.
- Victim views the malicious NFT, triggering a pop-up message from OpenSea’s storage domain, requesting connection to the victim’s cryptocurrency wallet (such popups are common on the platform through various other activities).
- Victim clicks to connect their wallet to perform an action on the gifted NFT, thus enabling access to the victim’s wallet.
- Hackers can obtain the money in the wallet by triggering an additional popup, which is also sent from OpenSea’s storage domain. The user may click on the popup if they fail to spot the notice in the popup describing the transaction.
- The result could be theft of a user’s entire cryptocurrency wallet.
How to protect from a malicious NFT?
CPR recommends being careful when receiving requests to sign wallets online. Before approving any request, users should carefully review what is being asked for, and consider whether the request is abnormal or suspicious. Users should reject any suspicious requests and examine them further, before providing any authorisation.
The Opensea platform added: “Users should note that OpenSea does not request wallet signatures for viewing or clicking third-party photos or links. Such activity is highly suspicious and users should not sign transactions that are unrelated to the specific actions on OpenSea listed above.”
Did OpenSea fix it?
Opensea said it has fixed the issue and verified the fix was effective.
“CPR worked closely and collaboratively with us to ensure the fix worked correctly. We also worked diligently to analyse relevant reports from OpenSea users who indicated they might have been exploited by a malicious NFT. However, we have yet to identify a single instance where a malicious file was leveraged,” it concluded.