fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

OpenSea NFT Platform Bugs Let Hackers Steal Crypto Wallets

OpenSea NFT Platform Bugs Let Hackers Steal Crypto Wallets

Security researchers found that an attacker could leave OpenSea account owners with an empty cryptocurrency balance by luring them to click on malicious NFT art.

With a transaction volume of $3.4 billion, OpenSea is the world’s largest marketplace for buying, selling, and auctioning non-fungible tokens (NFTs) and other digital assets and collectibles.

Approving requests without review

Details emerged today about an issue on the OpenSea platform that let hackers hijack user accounts and steal the associated cryptocurrency wallets.

Also Read: 5 Brief Concepts Between Data Protection Directive vs GDPR

The attack method is as simple as creating an NFT with a malicious payload and waiting for a victim to take the bait and view it.

Multiple users reported empty cryptocurrency wallets after receiving gifts on the OpenSea marketplace, a marketing tactic known as “airdropping” and used to promote new virtual assets.

Users reporting empty wallets after NFT airdrop

Enticed by these accounts, researchers at cybersecurity company Check Point decided to take a closer look at how the platform works and check for vulnerabilities.

An OpenSea account requires a third-party cryptocurrency wallet from a list that the platform supports. One of the most popular is MetaMask, which is also what the researchers also chose.

Communication with the wallet occurs for any action in the account, including liking art in the system, which triggers a wallet sign-in request.

Liking art on OpenSea triggers MetaMask wallet sign in

The OpenSea platform lets anyone sell digital art, which can be files as large as 40MB with any of the following extensions: JPG, PNG, GIF, SVG, MP4, WEBM, MP3, WAV, OGG, GLB, GLTF.

Knowing this, Check Point uploaded to the OpenSea system an SVG image that carried malicious JavaScript code. When clicking on it to open in a new tab, they noticed that the file executed under the ‘storage.opensea.io’ subdomain.

They also added an iFrame to the SVG image to load HTML code that would inject the “window.ethereum” required to open communication with the victim’s Ethereum wallet.

Also Read: Top 10 Best Freelance Testing Websites That Will Pay You

“In our attack scenario, the user is asked to sign with their wallet after clicking an image received from a third party, which is unexpected behavior on OpenSea, since it does not correlate to services provided by the OpenSea platform, like buying an item, making an offer, or favoring an item” – Check Point

Abusing the wallet functionality is done through the Ethereum RPC-API, which starts the communication with MetaMask and opens the popup for connecting to the wallet.

An attacker then needed the victim to interact with the legitimate pop-up window so they could perform actions on behalf of the victim.

The researchers note that another signature request popup was required for the hacker to get the cryptocurrency in the wallet.

This would not have been much of a problem, though, since such requests “often appear as a system notice” and users are likely to approve the transaction without reading the message.

OpenSea NFT triggers popup to connect with MetaMask

With a transaction domain from the OpenSea platform and action that victims typically see with other NFT operations, it is easy to see how users could have fallen victims.

In a report today, Check Point researchers summarized the attack as follows:

  • Hacker creates and gifts a malicious NFT to a target victim
  • Victim views the malicious NFT, triggering a pop-up from OpenSea’s storage domain, requesting connection to the victim’s cryptocurrency wallet
  • Victim clicks to connect their wallet and perform the action on the gifted NFT, thus enabling access to the victim’s wallet
  • Hacker can get the money in the wallet by triggering an additional pop-up, also sent from OpenSea’s storage domain. The victim is likely to click on the pop-up without reading the note that describes the transaction

Check Point researchers informed OpenSea of their findings on September 26. The two parties collaborated to address the issue and OpenSea came up with a solution in less than an hour from the responsible disclosure.

OpenSea says that they could not identify any cases where attackers exploited this vulnerability but continue to raise awareness and educate the community on the best security practices and how to spot scams and phishing attempts.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us