If an unintentional user interacts with a gifted NFT, attackers can destroy the wallet
OpenSea has fixed vulnerabilities in its platform that could let hackers steal someone’s crypto after sending a maliciously crafted NFT. The issue was traced to security firm Check Point Research, according to a blog post, which tweeted people’s claims that they were hacked after gifting them NFTs. The researchers spoke to one of the people who said they had been attacked, and found vulnerabilities that proved the attack could have happened this way and reported the problems to OpenSea. The security firm says the NFT trading platform fixed the issue within an hour and worked with researchers to make sure the fix worked.
While attackers potentially being able to decimate entire wallets certainly isn’t a good look for OpenSea, it wasn’t a simple matter of someone gifting an NFT – the exploit was found to be clicked on the first few prompts. Your target was required for this, which may include a transaction detail. While no interaction is required on your part for an NFT gift to be sent, malicious NFTs were harmless if they were unattended in an OpenC account.
A potentially dangerous situation is when the image itself is viewed (let’s say, by right-clicking on it and pressing “Open in New Tab”). For users with crypto-wallet browser extensions such as MetaMask, this triggers a popup asking storage.opensea.io to connect to their wallet. If the target clicks Yes, attackers can intercept the wallet information and trigger another popup asking the victim’s wallet to approve their own transfers. If you’re not paying attention or have no idea what’s going on and confirmed the transfer, you could lose everything in your wallet.
OpenSea said in a statement that it had not found any examples of anyone actually carrying out that type of attack – although it is still unclear what happened to the people they say were attacked. Was. As far as I know, only a few people were talking about being hacked after receiving the NFT gift.
OpenSea says it is working with third-party wallet providers to help people identify malicious signature requests. Still, for the most part, standard Internet security rules apply—don’t click on things that seem out of the ordinary, and Definitely Do not confirm any transaction request unless you are absolutely sure that this is something you want to do.
While this particular attack required a lot of target-to-target interaction (as well as at least some amount of inattention), it’s good to see Check Point’s confirmation that OpenSea has fixed it. It is easy to imagine that newcomers to NFTs are potentially draining their wallets, and we have seen examples of bad actors and scammers in the crypto space. There are those who are ready to steal people’s Ethereum, pretend to be OpenC support staff, or almost certainly sell fake Banksy.
openc too announced on Monday That it will hide gifted NFTs from an account page by default if they are from unverified collections and to suspend your account from buying or selling NFTs if you believe your Wallet has been compromised option will be added.