Latest News

OpenSea Patches Vulnerability that Potentially Exposed users’ Identities

According to reports, OpenSea has fixed a flaw that, if exploited, might have revealed personal information about its anonymous users.

The vulnerability, according to cybersecurity company Imperva, might deanonymize OpenSea users “by associating an IP address, a browser session, or an email in specific scenarios,” the company explained in a blog post on March 9.

The information obtained and connected to the wallet and its behavior could identify a user’s true identity as the NFT corresponds to a cryptocurrency wallet address, according to Imperva.

It is believed that the cross-site search vulnerability was exploited. Imperva asserted that OpenSea had improperly configured a library that resizes webpage elements that load HTML material from outside sources and are frequently used to display advertisements, interactive content, or embedded films.

Exploiters might use the information it broadcasts as a “oracle” to focus their efforts when searches provide no results because the webpage would be smaller because OpenSea didn’t impose any restrictions on this library’s communications. According to Imperva, an attacker might send a link to a target via email or SMS that, when clicked, would provide “important information, including the target’s IP address, user agent, device data, and software versions.”

After extracting the NFT names of their target using OpenSea’s vulnerability, the attacker would link the appropriate wallet address to identifiable details like the email or phone number that was used to send the original link. Imperva reported that the platform “was no longer at risk of such assaults” after OpenSea “immediately rectified the vulnerability” and appropriately restricted the library’s interactions.

Users of the platform are frequently the target of attacks that imitate OpenSea’s features in order to carry out vulnerabilities, such as phishing websites that look like the platform or signature requests that appear to come from OpenSea.

Due to a significant phishing attempt that occurred in February 2022 and resulted in the theft of NFTs valued at over $1.7 million from users, OpenSea has come under fire for the security of its platform. It’s unclear how long the most recent patch has been in place or whether any users have been impacted by the vulnerability.

Crypto products and NFTs are unregulated and can be highly risky. There may be no regulatory recourse for any loss from such transactions. Crypto is not a legal tender and is subject to market risks. Readers are advised to seek expert advice and read offer document(s) along with related important literature on the subject carefully before making any kind of investment whatsoever. Crypto market predictions are speculative and any investment made shall be at the sole cost and risk of the readers.