OpenSea תיקן באג שאפשר לגנוב cryptocurrency באמצעות NFT

The OpenSea team quickly eliminated a vulnerability that allowed stealing digital currencies using “infected” non-fungible tokens hosted on the platform.

Thanks to the collaboration with a team of researchers at Check Point Research, the team of the largest NFT marketplace was able to eliminate a dangerous exploit. After making sure that the bug was fixed and no one was hurt because of it, representatives of OpenSea revealed an algorithm for stealing cryptocurrencies by an attacker.

The hacker created an NFT gift with a malicious SVG (Scalable Vector Graphics) file embedded in it, which is a vector graphics - and interactive view of a picture that can run certain scripts. If the victim right-clicked on a malicious NFT image, opening it in a new tab or window, the SVG file launched a pop-up window in the form of a standard software wallet window. This was done using a script that checked the victim's device for the presence of a crypto wallet in the form of a browser extension - for example, MetaMask. After that, the “pseudo-extension” requested access to storage.opensea.io. If the user agreed, the attacker could potentially gain access to the cryptocurrencies stored in his software wallet.

Of course, third-party images hosted on OpenSea never make a request to connect to the user's wallet. And even more so, ask for any confirmation of the transaction in the form of digital currencies, or NFT. All items transferred in the course of such suspicious activities are sent straight to the attackers. Therefore, users are strongly advised to refuse such transactions and permissions, even for proven extensions of popular web browsers, if they request access to OpenSea.

Check Point Research researchers submitted their bug report back on September 26, after which the OpenSea team managed to eliminate the threat in just an hour. Jay Niffley, an independent security expert, also helped resolve the issue by reporting a bug related to extensions and the storage.opensea.io domain.

In total, during the check, more than 73 million objects and 4.4 million SVG files were analyzed, of which only 77 were indirectly related to the identified vulnerability. After the fix, the platform team, together with the Check Point Research team, once again carefully examined the service for the presence of malicious NFTs to make sure they were not.

Not a single theft was detected during the presence of the bug. Therefore, we can say with confidence that the specialists quickly eliminated the error, minimizing the possible consequences.

Make history, trade and earn on OpenSea

Subscribe to our Telegram , Twitter , Facebook to be the first to know about cryptocurrency news!

Coin Shark is not responsible for the content, accuracy, quality, advertising, products or any other content posted on the site. This article is for informational purposes, prepared on the basis of materials and information from open sources. Cryptocurrency is a high-risk asset, investments in it can lead to losses. Readers should do their own research before taking any action.