OpenSea fixes bugs: attackers could drain wallets using malicious NFTs

Attackers potentially could drain entire cryptocurrency wallets: Check Point teams reports

Attackers could drain walletsUsers got gifted NFTs and interaction with messages possibly ended with fund transfers.

Digital currency is more valuable among cybercriminals these days when the technology of various assets gets advanced. Bugs allowing malicious NFT uploads on the OpenSea marketplace got recovered.[1] These digital assets, non-fungible tokens,[2] could have become attack vectors.[3] Attackers can use such pieces to steal digital funds of cryptocurrency and completely drain the wallet.

OpenSea has already fixed these flaws in the platform. Check Point Research discovered the particular security issue after direct tweets from victims who got hacked after the suspicious gift of NFTs.[4] Suffered users got questioned, and researchers analyzed the issue further to find that the vulnerability pricing an attack is the problem with OpenSea. Security researchers state that the marketplace officials fixed the vulnerabilities within the hour and made sure to fix all possible issues and ensured that patches worked.

The hack followed the gifted NFT message

Even though the gifting of the NFT was the issue at first, it is not that simple. The exploit is triggering victims into clicking o the provided windows and prompts, so the victim provides needed details or clicks on the particular layer with malicious code.

Direct interaction is needed in such cases. If you got sent the gift of NFT, but it was sitting unviewed in the OpenSea account – it is harmless. The danger comes from the viewing of the photo. When you, for example, right-click the file and open it in the new tab. When the machine has crypto-wallet browser extensions like MetaMask, the pop-up asking for the connection to the wallet might appear.

Clicking on such a form and allowing the connection to your wallet might trigger the transfer of the information about your wallet and even lead to another pop-up with payment approval. Such agreement would allow that transfer from the wallet of the victim to the attacker's account.

Major attacks were not carried out

The company stated that there were no instances where such an attack got carried out. But it is not revealed what happened to those people who say that they got hacked. Only a few people were reporting such issues on social media and other platforms.

The OpenSea platform is working closely with security teams and other third-party crypto-wallet providers to help recognize any malicious activities and signature requests like this. As for now, common rules of safe browsing should be implemented:

  • do not click on anything suspicious;
  • keep away from things that seem unfamiliar or out of the ordinary;
  • don't sign anything you cannot recognize;
  • do not confirm any transactions requests.

Unfortunately, many attacks and campaigns do not require such interaction from the victim, and funds can still get stolen. Malicious actors can scam people using the craze of cryptocurrency and get payments from unsuspected victims. People that are new to NFT can potentially fall victims to these attacks and lost their valuable funds.

OpenSea also announced[5] that the gifted NFTs will be by default hidden from the account page if the collection it is from is not verified. You can also suspend your particular account from buying or selling the NFT if you think the wallet was compromised.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions