OpenSea addresses user identity problem

OpenSea, a marketplace for nonfungible tokens, has allegedly corrected a flaw that, if abused, might have disclosed identifying information about its anonymous users.

In a blog post published on March 9, cybersecurity company Imperva revealed how it uncovered the vulnerability, which it said could deanonymize OpenSea users “by tying an IP address, a browser session, or an email under specific situations” to an NFT.

When the NFT correlates to a bitcoin wallet address, the information obtained and connected to the wallet’s activities might disclose a user’s true identity, as outlined by Imperva.

It is believed that the attack used a cross-site search vulnerability. Imperva said that OpenSea had incorrectly set a library that resizes website components that import HTML material from elsewhere and are commonly used to insert advertisements, interactive content, or films.

While OpenSea does not limit this library’s communications, exploiters might use the information it broadcasts as an “oracle” to filter down when searches produce no results, resulting in a smaller website.

According to Imperva, an attacker would send their victim an email or SMS with a link that, when opened, “reveals vital information such as the target’s IP address, user agent, device data, and software versions.”

The attacker would then use the vulnerability in OpenSea to extract the NFT names of their target and connect the wallet address with identifying information such as an email or phone number from whence the initial link was delivered.

Imperva said that OpenSea “immediately rectified the vulnerability” by restricting the library’s communications and that the platform was “no longer vulnerable to such assaults.”

Users of the platform have long been the target of attacks that imitate OpenSea’s capabilities to conduct exploits, such as phishing websites that resemble the platform and signature requests that look to come from OpenSea.

OpenSea has been criticized for its platform security after a massive phishing attempt in February 2022 resulted in the theft of over $1.7 million worth of NFTs from users.

With the current fix, it is uncertain how long the vulnerability existed or whether any users were impacted.