Check Point Research is on a security issue OpenSea came across, the largest marketplace for trading in non-fungible tokens (NFT) and has closed it in cooperation with those responsible for the provider. The loophole would have allowed criminals to use infected files to gain control of their victims’ crypto wallets and to loot them. Check Point explains the vulnerability in a short video.
The security researchers became aware of the increasing number of reports online from users of other marketplaces who claimed that their crypto wallets had been stolen or emptied. In the course of the investigation, the experts then uncovered a vulnerability through which hackers could take over a user’s account and digital wallet with malware:
- The hacker creates a contaminated NFT image and sends it to a victim.
- The victim looks at the NFT image, which is a pop-up window of the OpenSeaStorage domain, which requests a connection to the victim’s crypto wallet (such popup windows are common on the platform for various other activities and are therefore not suspicious).
- The victim now authorizes the connection to the virtual wallet in order to carry out an action with the NFT and thus unknowingly gives access to his wallet.
- The hacker can then get hold of the money by triggering an additional pop-up window that is also from the storage domain of OpenSea is sent. The user will in turn click on this pop-up window if he overreads the note in it describing the transaction.
- The result can be the theft of your entire cryptocurrency wallet.
Check Point immediately shared the results of the investigation with the operator OpenSea to eliminate the weak point. A spokesman for OpenSea said accordingly: “Security is for OpenSea of fundamental importance. We appreciate that the CPR team alerted us to this vulnerability and worked with us as we investigated – and implemented a fix within an hour of being made aware. “
According to OpenSea no cases could be found in which the vulnerability was exploited for a theft. In August alone, the platform recorded a transaction volume of 3.4 billion US dollars (2.9 billion euros).
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software Technologies, comments on the research: “Our interest in OpenSea was awakened when we read rumors about stolen crypto wallets on the internet. We suspected it was a method of attack for OpenSea there and started a thorough investigation of the OpenSea-Platform.
The result was the discovery of a way to steal crypto wallets from users by using a malicious NFT OpenSea is sent. We applied our knowledge immediately and responsibly OpenSea and those in charge worked with us to find a solution quickly. I believe that our research results and the quick action taken by OpenSea prevented the theft of crypto wallets.
What remains to be said is that blockchain innovation is in full swing and NFTs have become indispensable. Given the fast pace of innovation, one challenge is securely integrating applications and crypto markets. Hackers know that there is an open window that they can exploit because consumer acceptance of digital funds is increasing sharply. The security measures in this area, however, have to catch up. The IT security specialists must therefore help the pioneers of blockchain technologies to protect consumers’ crypto assets. We warn them OpenSea– We urge the community to watch out for suspicious activity that could lead to theft, as we believe criminals will expand their efforts to hijack crypto wallets, targeting vulnerabilities. “