Threat actors may have leveraged a now-patched serious vulnerability in OpenSea, the largest non-fungible token (NFT) marketplace, to drain cryptocurrency money from a victim by delivering a specially-crafted token, creating a new attack channel for exploitation.
The discoveries came from Check Point Research, a cybersecurity group that began looking into the network after hearing of stolen bitcoin wallets triggered by free airdropped NFTs. On September 26, 2021, the concerns were resolved in less than an hour of appropriate disclosure.
According to Check Point researchers, by constructing malicious NFTs, hackers may take over user accounts and steal whole cryptocurrency wallets if the vulnerabilities go unpatched.
NFTs are one-of-a-kind digital assets like photographs, movies, music, and other objects that may be sold and exchanged on the blockchain using the technology as a certificate of authenticity to produce verifiable and public evidence of ownership.
The attack depends on sending users a malicious NFT that, when clicked, leads to a scenario in which rogue transactions may be facilitated through a third-party wallet provider merely by supplying a wallet signature to connect their wallets and conduct activities on behalf of the targets.
OpenSea said it hadn’t seen this issue abused in the wild. Still, it is working with third-party wallet providers to assist customers better recognize fraudulent signature requests and other measures to enable users to fight frauds and phishing attempts more effectively.
According to Oded Vanunu, head of products vulnerability research at Check Point, NFTs are here to stay, and blockchain innovation is well underway. There is an inherent problem in safely combining software applications and crypto markets, given the sheer speed of innovation.
He also said that with consumer usage on the rise and security measures in this sector still behind, threat actors realize they have an open window to exploit right now.
