OpenSea users’ identities likely to be exposed to a deanonymization vulnerability

SNEAK PEEK

  • Imperva disclosed a vulnerability in OpenSea that was capable of exposing users’ details like phone numbers and email addresses.
  • The reason behind the vulnerability was a misconfiguration of the iFrame-resizer library OpenSea uses.
  • OpenSea released a patch to resolve the problem and Imperva reviewed the fix and confirmed that the vulnerability doesn’t exist anymore.

OpenSea has repaired a vulnerability that was capable of leaking identification details about anonymous users.

Imperva, a cybersecurity company, detailed in a blog on March 9 the way it identified the vulnerability, which, according to it, would have deanonymized users of OpenSea by connecting an IP address or an email to a non-fungible token in specific conditions. 

Since the NFT correlates to a crypto wallet address, the real identity of a user is possible to be disclosed from the accumulated details and connected to both the wallet as well as its activity. 

The attack could have benefited from a cross-site search vulnerability. Imperva shared that OpenSea miscalculated a library that is known to resize a webpage’s components that load HTML content from somewhere else that is utilized for ads, embedded videos, or engaging content. 

As OpenSea did not limit communications of this library, it was possible for exploiters to utilize the broadcasted details like an oracle to narrow down when no results are returned by searches owing to the smaller webpage. 

Imperva shared that an attacker would send a link via SMS or email to their target user, and if the user clicked the link, their crucial details such as IP addresses, device information, user agent, and software versions would have been revealed. 

After this, the attacker would utilize the vulnerability of OpenSea to get the NFT names of their target and link the coordinated wallet address with identifying details like a contact number or email. 

OpenSea acknowledged the problem quickly, limited communications with the library, and shared that there were no more possibilities of such attacks. 

OpenSea’s users have faced attacks that impersonate functions of the marketplace and lead to exploits like phishing websites that look similar to the platform or signature requests that look like they belong to OpenSea.  

The marketplace has faced backlash in terms of its platform’s security owing to a major phishing attack that happened in February 2022. As far as the recent case is concerned, there’s no information when it comes to how long it existed or if any users have been affected.