OpenSea has had its fair share of security issues in the past year, but this vulnerability affects one of the foundational pillars of web 3.0 — anonymity.
Cross-Search Vulnerability
According to Imperva, OpenSea did not restrict cross-origin communication, which allowed access to restricted content on its platform. This left the marketplace open to a cross-site search vulnerability that would’ve allowed an attacker to access sensitive information, including users’ email addresses and IPs. “The attacker incrementally gathers information by sending multiple queries, using the distinguishable differences in the system’s behavior to extract more and more information,” Imperva stated in a blog post. OpenSea uses the iFrame-resizer library to resize ads, videos, and other embedded content on its webpage. However, attackers could potentially exploit this library to pry away user data. “This is because the library broadcasts the width and height of the iFrame, which can be used as an oracle to detect when a search query returns results,” Imperva explained. “An attacker can exploit this vulnerability by continuously searching the victim’s assets, performed cross-origin, to leak an NFT name and associated wallet address. This can lead to the deanonymization of the user if the attacker can associate the leaked information with the user’s identity,” it added.
OpenSea in the Cross Hairs of Malicious Actors
OpenSea gained popularity in recent years with the boom in demand for cryptocurrencies and NFTs (non-fungible tokens). Users can buy and sell NFTs at fixed prices or through auction-style bidding on the platform. However, OpenSea has also received attention from malicious actors looking to profit from its fame. Last year, the marketplace was the victim of a high-profile data breach that leaked users’ email addresses and a phishing attack that allowed cybercriminals to steal NFTs worth $1.7 million. Imperva gave OpenSea credit for working with them to quickly resolve the vulnerability in its systems. “This vulnerability highlights the dangers of cross-origin communication, which can lead to XS-Leaks and other vulnerabilities. We appreciate OpenSea’s prompt response in addressing the security issue and working with us to mitigate it,” Imperva stated. The last two years have been a rollercoaster for crypto and NFT enthusiasts. Cybercriminals continue to target crypto users and platforms. It is important to remain vigilant against potential malicious activity. Our guide on avoiding NFT scams contains valuable information about defending yourself from common threats.