- Hackers exploited pop-up functions on the OpenSea website by stealing directly from users' crypto wallets.
- OpenSea has worked with Check Point on the issue and is doubling down on its efforts to educate users on security issues.
En less than a month of accepting Insider trading, the largest NFT OpenSea marketplace is once again suspect. Ethereum-based NFT marketplace has faced a major security vulnerability according to researchers at Check Point Software.
Researchers said the vulnerability allowed hackers to steal entire crypto wallets from users. As noted, OpenSea has been the largest buy, sell, and trade marketplace for NFT and other digital collectibles.
CheckPoint first discovered the vulnerability following reports of crypto wallet theft triggered by air-dropped NFTs. Check Point researchers later discovered critical security issues "which, if exploited, could have led hackers to hijack user accounts.users and steal entire crypto wallets of users, by sending malicious NFs. Ts ".
The OpenSea Security Vulnerability
The method of attack on OpenSea involved a very simple way to create an NFT with a malicious payload. Then it s It was simply a matter of waiting for the victim to bite the hook and view the malicious NFT art.
Later, several users reported seeing empty crypto wallets after receiving emails. giveaways in the OpenSea marketplace. Thus, it was nothing more than a marketing tactic dubbed "airdropping" used to promote new virtual assets. The attack was mainly based on user inattention and that OpenSea was generating lots of pop-ups.
Whenever the victim received and viewed a malicious NFT sent by the hacker, it triggered a pop-up windowlle of OpenSea storage domain. Later, it would request a connection to the victim's crypto wallet. After the victim clicks on the pop-up, the hacker has access to their crypto wallet while still allowing them to generate another pop-up.
When the victim clicked again without noticing the note transaction, the hacker would completely steal all their assets.
Observations of Check Point researchers
The Check Point researchers decided to take a closer look at how the checkpoint works. platform for discovering vulnerabilities. OpenSea supports several third-party crypto wallets, one of the most popular being MetaMask.
Using this, the researchers found that any action in the account requires communication with the wallet. Even the action of liking art in the system requires a wallet login request. In his arofficial blog post, Check Point noted :
However, it seemed like a lot had to go wrong for the attack to work. Check Point researchers informed OpenSea of their findings on September 26. The two sides have worked together to resolve this issue. OpenSea said it implemented a fix "within an hour of our attention". OpenSea further stated that it is "doubling community education around safety".