Hackers might have stolen someone’s crypto after sending them a maliciously generated NFT, thanks to flaws in OpenSea’s infrastructure. According to a blog post, security firm Check Point Research discovered the problem after noticing tweets from users saying they were hacked after receiving NFTs.
The researchers spoke with one of the people who claimed they had been attacked, discovered weaknesses that proved an attack could occur in this manner and reported the issues to OpenSea. According to the security firm, the NFT trading platform corrected the problem within an hour and collaborated with researchers to ensure the remedy was successful.
While the attackers’ ability to drain whole wallets is obviously not a good image for OpenSea, the hack didn’t require the user to click on a few prompts initially, including one that might reveal transaction details. While receiving an NFT gift does not necessitate your participation, the harmful NFTs were harmless if they sat unopened in an OpenSea account.
When viewing the image by itself (for example, by right-clicking on it and selecting “open in new tab”), a potentially dangerous situation arises. It prompts users who have a crypto-wallet browser extension installed, such as MetaMask, to connect storage.opensea.io to their wallet. If the target hits yes, the attackers will have access to the wallet’s details and will be prompted to confirm a transfer from the victim’s wallet to theirs. You could lose everything in your wallet if you aren’t paying attention or didn’t know what was going on when you confirmed the transfer.
In a statement, OpenSea claims it hasn’t uncovered any evidence of someone actually carrying out such an assault, however, it’s still unclear what happened to those who claim to have been targeted. Only a few people mentioned getting hacked after receiving a gift NFT, as far as I could tell.
OpenSea says it’s collaborating with third-party wallet providers to make it easier for customers to spot false signature requests. Still, usual online safety precautions apply – don’t click on anything that doesn’t seem right, and don’t confirm any transaction requests until you’re certain it’s something you want to do.
While this attack necessitated a lot of activity (as well as at least some inattention) on the part of the target, Check Point’s assurance that OpenSea has patched it is encouraging. It’s easy to picture newcomers to NFTs having their wallets emptied, and we’ve seen bad actors and scams in the crypto industry before. Some people are willing to steal someone’s Ethereum, pose as OpenSea support agents, or sell a Banksy that is almost probably fake.
On Monday, OpenSea also announced that it would remove gifted NFTs from an account’s page by default if they came from unverified collections, as well as adding a feature to prevent your account from purchasing or selling NFTs if you believe your wallet has been hacked.