Search
Close this search box.

Bugs in the OpenSea NFT Platform Allow Hackers to Steal Cryptocurrency Wallets

Share:

Details regarding a bug on the OpenSea platform that allowed hackers to hijack user accounts and steal the corresponding bitcoin wallets emerged recently. 

The attack method is as simple as producing an NFT with a malicious payload and waiting for a victim to take the bait and see it. 

Several users reported empty cryptocurrency wallets after receiving gifts on the OpenSea marketplace, a marketing strategy known as “airdropping” that is used to promote new virtual assets. 

Users are reporting empty wallets following the NFT airdrop. 

Check Point researchers were enticed by these accounts and decided to take a closer look at how the platform works and look for vulnerabilities. 

An OpenSea account requires the use of a third-party cryptocurrency wallet from a list supported by the site. One of the most popular is MetaMask, which was also chosen by the researchers. 

Anyone can sell digital art on the OpenSea platform, which accepts files up to 40MB in size and with any of the following extensions: JPG, PNG, GIF, SVG, MP4, WEBM, MP3, WAV, OGG, GLB, GLTF. 

Knowing this, Check Point submitted an SVG image containing malicious JavaScript code to the OpenSea system. When they clicked on it to open in a new tab, they saw that the file was running under the’storage.opensea.io’ subdomain. 

They also added an iFrame to the SVG picture in order to load HTML code that would inject the “window.ethereum” required to communicate with the victim’s Ethereum wallet. 

The wallet functionality is abused via the Ethereum RPC-API, which initiates connection with MetaMask and displays the prompt for connecting to the wallet. 

As these requests frequently appear as a system notice, customers were likely to authorise the transaction without reading the message. 

With an OpenSea platform transaction domain and behaviour that victims generally see with other NFT operations, it’s simple to understand how users could have been taken advantage of. 

Check Point researchers detailed the attack as follows: 

  1. A hacker builds and distributes a malicious NFT to a victim. 
  2. When the victim views the malicious NFT, a pop-up from OpenSea’s storage domain appears, demanding access to the victim’s bitcoin wallet.
  3. Victim clicks to connect their wallet and conduct the action on the gifted NFT, granting the victim access to their wallet.
  4. The money in the wallet can be obtained by triggering an extra pop-up, which is likewise sent from OpenSea’s storage domain.

 

On September 26, Check Point researchers notified OpenSea of their findings. The two parties worked together to solve the problem, and OpenSea had a solution in less than an hour after the responsible disclosure. 

According to OpenSea, they were unable to discover any incidents in which attackers exploited this vulnerability, but they will continue to raise awareness and educate the community on best security practises and how to spot frauds and phishing efforts. 

Picture of Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Company

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →

Services

Services

Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl
360

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution

Solutions
Resources

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →