Non-fungible token marketplace OpenSea has reportedly patched a bug that, if exploited, could have exposed the identities of its anonymous users.
In a March 9 blog post, cybersecurity firm Imperva detailed how it discovered the vulnerability, which it claimed could be linked to an NFT "by linking an IP address, browser session, or email under certain conditions." to de-anonymize OpenSea users.
Imperva explained that since the NFT corresponds to a cryptocurrency wallet address, the real identity of the user can be revealed from the information collected and linked to the wallet and its activity. It is understood that the vulnerability exploits a cross-site search vulnerability. Imperva claims that OpenSea misconfigured a library that resized web page elements that loaded HTML content from elsewhere, often used to place advertisements, interactive content, or embedded video. Since OpenSea doesn't limit the library's communication, when a search returns no results, developers can use the information it broadcasts as an "oracle" to narrow things down, as web pages get smaller.
Imperva detailed that attackers email or text their targets a link that, if clicked, "discloses valuable information such as the target's IP address, user agent, device details, and software version." The attacker would then exploit OpenSea's vulnerability to extract the target's NFT name and associate the corresponding wallet address with identifying information such as email or phone number sent via the original link.
OpenSea "resolved the issue quickly" and appropriately restricted the library's communications, Imperva said, reporting that the platform "is no longer at risk from this type of attack." Users of the platform have long been victims of attacks that mimic OpenSea functionality, such as phishing sites that resemble the platform or signed requests that appear to come from OpenSea.
OpenSea itself has also come under criticism for its platform security after a major phishing attack in February 2022 resulted in the theft of more than $1.7 million worth of NFTs from users. As for the recent patch, it's unclear how long it's been around or if any users were affected by the bug.
