Gullible OpenSea Users Were Vulnerable to ‘Malicious NFT’ Attacks, Researchers Say

Gullible OpenSea Users Were Vulnerable to ‘Malicious NFT’ Attacks, Researchers Say
Photo: Edward Smith, Getty Images

OpenSea, the world’s largest market for NFTs, says that it recently patched security flaws that would have allowed bad actors to pilfer users’ digital crypto wallets. The flaws were brought to the market’s attention by researchers with Check Point, a cybersecurity company based in Israel, which says that fraudsters wielding “malicious NFTs” could have targeted the platform’s users.

Non-fungible tokens, the crypto craze that turns anything into a unique blockchain asset — or at least gives users a unique digital receipt saying they own an asset — are still big. OpenSea, which sees upwards of a billion dollars in NFT transactions on its platform on any given month, is the largest market for them on the internet. However, the company has been having some trouble lately — with an uptick in reports of scams hitting its customers. Check Point researchers say they started looking into potential security flaws in OpenSea’s platform after reading about those scams.

Check Point didn’t ultimately find anything insecure about the platform itself. Rather, researchers uncovered a method by which an unscrupulous individual could trick a gullible crypto user into basically opening up their digital wallet — in other words, a classic social engineering scheme.

The method employs “malicious” NFTs, or basically trojan-ized digital art that can be used to lure users into opening their financial accounts to a stranger on the internet. Researchers said that an image file, airdropped onto OpenSea’s platform and offered for free to a user, can be pre-loaded with a payload that allows for the thieving of that user’s funds. When viewed, the NFT subsequently deploys a series of malicious pop-ups, styled to look like they are from OpenSea itself, which requests that the user connect their digital wallet. If a user was clueless enough to sign off on these weird, unusual prompts, they would open themselves up to getting all of their monies jacked.

However, OpenSea has noted that getting prompts like this would be “an abnormal event” for users — as third-party images on OpenSea “do not result in a request for a wallet connection,” the company said. Check Point admits that this kind of scam would require “unexpected behaviour” from the fraudster that “does not correlate to services provided by the OpenSea platform, like buying an item, making an offer, or favouring an item.” In other words, you’d have to see a bunch of red flags and blow right past them to claim your free online prize — which, if we’re being honest, you can easily imagine some people doing.

In summation, this attack, while possible, is unlikely to succeed in most cases — which is probably why OpenSea has reported that they are “unable to identify any instances where this vulnerability was exploited.” OpenSea says that they have subsequently taken measures to block this scam from taking place on their platform.

“Security is fundamental to OpenSea. We appreciate the CPR team bringing this vulnerability to our attention and collaborating with us as we investigated the matter and implemented a fix within an hour of it being brought to our attention,” said the company in a statement.

“I believe that our research findings, and the quick action by OpenSea, will prevent thefts of crypto wallets of users,” Oded Vanunu, Check Point’s head of product vulnerabilities research. “Blockchain innovation is fast-underway and NFTs are here to stay. Given the sheer pace of innovation, there is an inherent challenge in securely integrating software applications and crypto markets.”

True. But why not just skip the headache, save yourself a bunch of money, and not invest in NFTs at all? I submit this as an alternative threat mitigation method.