Details regarding a bug on the OpenSea platform that allowed hackers to hijack user accounts and steal the corresponding bitcoin wallets emerged recently.
The attack method is as simple as producing an NFT with a malicious payload and waiting for a victim to take the bait and see it.
Several users reported empty cryptocurrency wallets after receiving gifts on the OpenSea marketplace, a marketing strategy known as “airdropping” that is used to promote new virtual assets.
Users are reporting empty wallets following the NFT airdrop.
Check Point researchers were enticed by these accounts and decided to take a closer look at how the platform works and look for vulnerabilities.
An OpenSea account requires the use of a third-party cryptocurrency wallet from a list supported by the site. One of the most popular is MetaMask, which was also chosen by the researchers.
Anyone can sell digital art on the OpenSea platform, which accepts files up to 40MB in size and with any of the following extensions: JPG, PNG, GIF, SVG, MP4, WEBM, MP3, WAV, OGG, GLB, GLTF.
They also added an iFrame to the SVG picture in order to load HTML code that would inject the “window.ethereum” required to communicate with the victim’s Ethereum wallet.
The wallet functionality is abused via the Ethereum RPC-API, which initiates connection with MetaMask and displays the prompt for connecting to the wallet.
As these requests frequently appear as a system notice, customers were likely to authorise the transaction without reading the message.
With an OpenSea platform transaction domain and behaviour that victims generally see with other NFT operations, it’s simple to understand how users could have been taken advantage of.
Check Point researchers detailed the attack as follows:
- A hacker builds and distributes a malicious NFT to a victim.
- When the victim views the malicious NFT, a pop-up from OpenSea’s storage domain appears, demanding access to the victim’s bitcoin wallet.
- Victim clicks to connect their wallet and conduct the action on the gifted NFT, granting the victim access to their wallet.
- The money in the wallet can be obtained by triggering an extra pop-up, which is likewise sent from OpenSea’s storage domain.
On September 26, Check Point researchers notified OpenSea of their findings. The two parties worked together to solve the problem, and OpenSea had a solution in less than an hour after the responsible disclosure.
According to OpenSea, they were unable to discover any incidents in which attackers exploited this vulnerability, but they will continue to raise awareness and educate the community on best security practises and how to spot frauds and phishing efforts.