OpenSea has fixed vulnerabilities in its platform that could’ve let hackers steal someone’s crypto after sending them a maliciously crafted NFT. The issue was found by security firm Check Point Research, which noticed tweets from people claiming they were hacked after being gifted NFTs, according to a blog post. The researchers talked to one of the people saying they were attacked, and found vulnerabilities proving an attack could happen this way and reported the problems to OpenSea. The security firm says the NFT trading platform fixed the issue within an hour and worked with researchers to make sure the fix worked.
While the attackers potentially being able to drain entire wallets is certainly not a good look for OpenSea, it wasn’t a simple matter of just gifting someone an NFT — the exploit needed its target to click on a few prompts first, including one that might include transaction details. While being sent an NFT gift doesn’t require any interaction on your part, the malicious NFTs were harmless if they just sat unviewed in an OpenSea account.
The potentially dangerous situation occurs when viewing the image by itself (by, say, right-clicking on it and hitting “open in new tab”). For users with a crypto-wallet browser extension like MetaMask installed, it initiates a popup asking to connect storage.opensea.io to their wallet. If the target clicks yes, the attackers could snag the wallet’s information and trigger another popup asking to approve a transfer from the victim’s wallet to their own. If you’re not paying attention or didn’t realize what was going on and confirmed the transfer, you could wind up losing everything in your wallet.
OpenSea says in a statement that it hasn’t found any instances of someone actually carrying out that kind of attack — though it’s still unclear what happened to the people who say they were attacked. As far as I could find, there were only a few people talking about being hacked after receiving a gift NFT.
OpenSea says it’s working with third-party wallet providers to help people recognize malicious signature requests. Still, for the most part, standard internet safety rules apply — don’t click on things that seem out of the ordinary, and definitely don’t confirm any transaction requests unless you’re entirely sure it’s something you want to do.
While this particular attack required a lot of interaction (as well as at least some amount of inattention) from the target, it’s good to see Check Point’s confirmation that OpenSea has fixed it. It’s easy to imagine people new to NFTs potentially getting their wallets drained, and we’ve seen examples of bad actors and scammers in the crypto space. There are those who are willing to steal people’s Ethereum, pretend to be OpenSea support employees, or sell an almost certainly fake Banksy.
OpenSea also announced on Monday that it would hide gifted NFTs from an account’s page by default if they’re from unverified collections and add an option to suspend your account from buying or selling NFTs if you think your wallet has been compromised.