Check Point Research (CRP) has discovered a critical flaw in NFT marketplace OpenSea’s crypto wallets and warned the company to fix the exploit before hackers started exploiting the flaw. OpenSea is the largest digital collectible marketplace, a peer-to-peer marketplace for crypto collectibles and non-fungible tokens, commonly known as NFTs. It has acknowledged the breach as reported by the cybersecurity firm.
The company recorded $3.4 billion in transaction volume in August 2021 alone and has grown to be the largest marketplace for non-fungible tokens of the crypto world.
If the vulnerabilities were left unpatched it could have allowed hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs, Check Point said. They immediately disclosed the findings to OpenSea, which went on to deploy a fix after less than one hour of disclosure.
“Security is fundamental to OpenSea. We appreciate the CPR team bringing this vulnerability to our attention and collaborating with us as we investigated the matter and implemented a fix within an hour of it being brought to our attention. These attacks would have relied on users approving malicious activity through a third-party wallet provider by connecting their wallet and providing a signature for the malicious transaction,” the company said in a press statement.
Hackers can create and gift a malicious NFT to target victims. Once the victim views the malicious NFT, which would then trigger a pop-up from OpenSea’s storage domain— requesting connection to the victim’s cryptocurrency wallet (such pop-ups are common in the platform on various other activities)
And in case, the victim clicked on the pop-up to connect their wallet, this would allow cybercriminals complete access to their wallet. The end result could be the theft of all the coins, digital assets stored in a user’s entire cryptocurrency wallet.
CPR recommends being careful when receiving requests to sign one’s wallet online. ”Before you approve a request, you should carefully review what is being requested, and consider whether the request is abnormal or suspicious. If you have any doubts, you should reject the request and examine further, before providing authorization,” the company added.