Malicious NFT could have infiltrated OpenSea Marketplace via discovered bug

Non fungible token Malicious NFT OpenSea Marketplace bug cryptocurrency digital-wallets fraud alert fraud-detection

Currently, the OpenSea marketplace is at risk of being infiltrated by threat actors. Uploading malicious non-fungible tokens or NFT can become a transmitter for hackers attempting to heist digital wallet funds. 

Severe security issues inside the OpenSea non-fungible token marketplace that enabled attackers to gather cryptocurrency wallet funds have been patched. 

Meanwhile, the non-fungible tokens, also known as NFT, are digitally owned assets that can be traded and sold on a digital ledger. Some NFTs, for example, pixelated cartoons or popular memes, can reach a selling price of at least a million dollars. Through the popularity of these NFTs, it created a new attack transmitter for exploitation. 

Recently, a group of researchers said that vulnerabilities in the OpenSea NFT marketplace could have enabled threat actors to hijack user accounts and gather crypto wallets of target users by sending compromised NFTs. 

An investigation initiated by the researchers was deployed after multiple reports unravelling malicious NFTs, airdropped with no cost, being utilized as conduits for crypto theft and account take over. 

 

How does the malicious NFT works? 

The airdropped malicious NFT is not the source of the problem but instead once it has been gifted to a potential target. When the gifted target opened and viewed it, a pop-up would trigger a request signature to connect into a wallet. Then a second signature for a prompt request will appear, and if accepted, the attackers will now be granted access to the unaware user’s wallet, funds, data, and more. 

In the case of OpenSea, the security vulnerability allows the team to upload a “.SVG” file containing a compromised payload, which would perform under the marketplace’s storage subdomain. 

The authorized researcher disseminated their findings to OpenSea last month, and within less than sixty minutes, the marketplace confirmed the security issues and launched a mandatory repair. 

OpenSea stated that their security is very fundamental for them. Also, they added that they appreciated the research team reaching out to them and working with them to address the security issue they were facing. 

Furthermore, they elaborated that the attacker would have relied on the target victim’s approval to initiate the malicious activity through a third-party wallet provider by connecting their wallet and providing a signature for the transaction. 

Lastly, the OpenSea marketplace said that the organization had not verified any evidence that the exploitation exists in the wild. 

About the author

iZOOlogic

Leave a Reply