Vulnerability exposed OpenSea NFT Market users’ identities

by James · March 9, 2023

Table of Contents

OpenSea has fixed the vulnerability by releasing an update that limits cross-origin communication.

In 2022, Open sea had over 1 million registered users and received more than 121 million monthly visitors to its website. This makes OpenSea not only the largest NFT marketplace, but also a lucrative target for cybercriminals. Some vulnerability on the platform can become an opportunity for malicious actors and spell disaster for unsuspecting users.

One such exploitable vulnerability in the OpenSea NFT market was identified by Imperva researchers.

Vulnerability details

The Imperva Red Team discovered a vulnerability affecting the world’s largest NFT marketplace, OpenSea. It is a cross-site search (XS-Search) vulnerability that can be exploited by an attacker to obtain a user’s identity.

All the attacker needs to do is link an IP address, an email or a browser session to a specific one NFT (non-fungible token), thus gaining access to a wallet address that will reveal the user’s identity. This issue is of concern as it de-anonymizes OpenSea users.

Exploitation mechanism

The attacker sends his target a link via various communication channels, e.g. SMS or e-mail. If the victim clicks on this link, valuable data such as the IP address, device details, user agent and software versions are leaked.

The attacker can then exploit the cross-site search security vulnerability to get the victim’s NFT name and associate the leaked public/NFT wallet address with this identity, such as the phone number or email to which the link was first sent.

What is causing the problem?

It’s caused by the misconfiguration of the iFrame-resizer library, which the $13.3 billion marketplace uses. When this library is used where cross-origin communication is not restricted, a cross-site search vulnerability exists. OpenSea didn’t limit it, which led to this problem.

This misconfiguration allows this bug to prevail and expose user identities. Given the fact that the NFT ecosystem is completely anonymous, this type of flaw could have serious implications for OpenSea’s business, because if exploited, the attacker could launch phishing attacks.

Alternatively, they can track users who have purchased the highest value NFTs. Researchers were able to determine that the marketplace uses ElasticSearch tool since it had advertised ElasticSearch skills in one of its job advertisements.

See the PoC of the vulnerability

Understanding a Cross-Site Search Security Issue:

Also called XS-Search, Cross-Site Search vulnerability is based on XS leaks family of attacks. It is found in web apps that use query-based search mechanisms.

The vulnerability allows an attacker to obtain sensitive information from another origin simply by sending queries and identifying the difference in search engine behavior with whether or not it returns results. The threat actor collects information by sending a series of requests. Basically, it can extract sensitive information from a web app.

Has it been fixed?

According to a blog posts as Imprava shared with Hackread.com, following the disclosure of the vulnerability, OpenSea quickly addressed it by releasing an update that limited cross-origin communication. This reduced further exploitation of the vulnerability.

However, this highlights the ongoing challenges businesses face in ensuring security in a highly complex application space where misconfiguration can easily be overlooked and ultimately exploited in decentralized applications or dApps.

With the advent and advancement of Web3 and dApps, hordes of new challenges have also emerged. As much as these environments have become popular, the risk of exploitation has intensified.

Therefore, it is important to be vigilant and detect inherent errors and vulnerabilities in time to prevent the exploitation of these platforms.