After seeing reports of stolen crypto wallets triggered by free airdropped NFTs, Check Point Research (CPR) investigated OpenSea, the world’s largest NFT marketplace.
The probe found critical security vulnerabilities on OpenSea’s platform that, if exploited, could have led hackers to hijack user accounts and steal their entire crypto wallets by sending malicious NFTs.
- CPR’s research findings have prevented the thefts of crypto wallets of users
- CPR chose to investigate OpenSea after observing reports of stolen crypto wallets online
- CPR proved it was possible to steal crypto wallets of users by leveraging critical security vulnerabilities found in OpenSea’s platform
- It immediately and responsibly disclosed findings to OpenSea, who went on deploying a fix in less than one hour of disclosure
Check Point Research (CPR) identified critical security flaws in OpenSea. Left unpatched, the vulnerabilities could allow hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs. OpenSea recorded $3.4 billion in transaction volume in August 2021 alone.
Reports of Malicious Airdropped NFTs
Reports of free airdropped NFTs allegedly gifted to users prompted CPR’s investigation of OpenSea. Curiosity led CPR to correspond with a victim of a stolen crypto wallet, who confirmed interacting with an airdropped object prior to account theft.
Exploitation Methodology
CPR’s identification of critical security flaws in OpenSea proves a malicious NFT could be used to hijack accounts and steal crypto wallets. Successful exploitation of the vulnerabilities would have required the following steps:
- Hacker creates and gifts a malicious NFT to a target victim.
- Victim views the malicious NFT, triggering a pop-up from OpenSea’s storage domain, requesting connection to the victim’s cryptocurrency wallet (such pop-ups are common in the platform on various other activities)
- Victim clicks to connect their wallet, to act on the gifted NFT, thus enabling access to the victim’s wallet.
- Hackers can obtain the money in the wallet by triggering an additional pop-up which is also sent from OpenSea’s storage domain. The user may click on the pop-up, if they do not notice the note in the pop-up describing the transaction.
- The end result could be theft of a user’s entire cryptocurrency wallet
Responsible Disclosure
CPR immediately and responsibly disclosed its findings to OpenSea on Sunday, September 26, 2021. In less than an hour of disclosure, OpenSea fixed the issue and verified the fix. CPR worked closely and collaboratively with the OpenSea team to ensure the fix worked correctly.
After OpenSea’s response with SVG files containing iframe objects from their storage domain, CPR reviewed all together and ensured all attack vectors are closed.