According to reports, OpenSea has fixed a flaw that, if exploited, might have revealed personal information about its anonymous users.
The vulnerability, according to cybersecurity company Imperva, might deanonymize OpenSea users “by associating an IP address, a browser session, or an email in specific scenarios,” the company explained in a blog post on March 9.
The information obtained and connected to the wallet and its behavior could identify a user’s true identity as the NFT corresponds to a cryptocurrency wallet address, according to Imperva.
It is believed that the cross-site search vulnerability was exploited. Imperva asserted that OpenSea had improperly configured a library that resizes webpage elements that load HTML material from outside sources and are frequently used to display advertisements, interactive content, or embedded films.
Exploiters might use the information it broadcasts as a “oracle” to focus their efforts when searches provide no results because the webpage would be smaller because OpenSea didn’t impose any restrictions on this library’s communications. According to Imperva, an attacker might send a link to a target via email or SMS that, when clicked, would provide “important information, including the target’s IP address, user agent, device data, and software versions.”
After extracting the NFT names of their target using OpenSea’s vulnerability, the attacker would link the appropriate wallet address to identifiable details like the email or phone number that was used to send the original link. Imperva reported that the platform “was no longer at risk of such assaults” after OpenSea “immediately rectified the vulnerability” and appropriately restricted the library’s interactions.
Users of the platform are frequently the target of attacks that imitate OpenSea’s features in order to carry out vulnerabilities, such as phishing websites that look like the platform or signature requests that appear to come from OpenSea.
Due to a significant phishing attempt that occurred in February 2022 and resulted in the theft of NFTs valued at over $1.7 million from users, OpenSea has come under fire for the security of its platform. It’s unclear how long the most recent patch has been in place or whether any users have been impacted by the vulnerability.
The post OpenSea Patches Vulnerability that Potentially Exposed users’ Identities appeared first on BitcoinWorld.