OpenSea has fixed a vulnerability that reveals the identity of the owner of the NFT
A cross-site search vulnerability threatens user confidence in NFT and OpenSea.
Security researchers from the Imperva Red Team discovered a cross-site search (XS-Search) vulnerability in the OpenSea marketplace that allows an attacker to reveal the identity of a user. The experts presented video which demonstrates how the vulnerability works.
All a hacker needs to do is tie an IP address, email address, or browser session to a specific NFT. As a result, the cybercriminal gains access to the wallet address, which reveals the identity of the user.
The attacker sends a link to his target through various communication channels, such as SMS or email. When a victim clicks on a link, information about their IP address, device, useragent, and software version is sent to the cybercriminal.
The attacker could then use the cross-site lookup vulnerability to obtain the victim’s NFT ID and match the disclosed NFT wallet address with the phone number or email address to which the link was sent.
The error is caused by a misconfiguration of the “iFrame-resizer” library that uses OpenSea. When this library is used where data exchange between origins is not restricted, a cross-site search vulnerability occurs. OpenSea didn’t restrict data sharing which led to this issue.
This misconfiguration allows the user’s identity to be revealed. Considering the fact that the NFT ecosystem is completely based on anonymity, such a flaw could have serious consequences for OpenSea’s business, since if it is used, an attacker can launch phishing attacks, and can also track users who purchased the NFT with the highest value.
How the cross-site search vulnerability works
The cross-site search vulnerability, also called XS-Search, is based on the XS-Leaks family of attacks.. XS-Search can be found in web applications that use query-based search engines.
The vulnerability allows an attacker to extract sensitive information from another source by submitting queries and observing differences in the behavior of the search engine when it returns or does not return results. The hacker gradually collects information about the user by sending numerous queries to the search engine and using noticeable differences in the system’s behavior to extract the victim’s data.
After discovering the vulnerability, OpenSea quickly fixed it by issuing an update that restricted data exchange between sources ( Cross-Origin Resource Sharing, CORS ). The fix prevented further exploitation of the vulnerability.