Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Open Sea. Show all posts

OpenSea NFT Market Users' Identities Were Exposed via a Bug

In 2022, OpenSea had more than 1 million members who had registered and more than 121 million people visited the website each month. Because of this, OpenSea is not only the biggest NFT market but also a highly attractive target for cybercriminals. Any platform flaw could present a chance for criminal activity and result in catastrophe for gullible consumers.

The cross-site search vulnerability, which a hacker can use to gain user identities, was made possible by a misconfiguration.

According to the report, OpenSea has subsequently issued a patch to address the problem. In order to reduce the possibility of additional exploitation, the patch limits cross-origin communication. The vulnerability no longer exists, according to the cyber security company's analysis of the remedy.

Web applications which use query-based search systems are vulnerable to cross-site search. By submitting queries and looking for variations in the search system's behavior when it returns or doesn't, it enables an attacker to retrieve sensitive data from another origin.

After confirming that the fundamental exploit strategies were effective, researchers started looking at OpenSea's search feature. ElasticSearch was referenced by the company in one of their job listings, therefore this is probably the engine they utilize for their search function. 

With the help of ElasticSearch, you can swiftly search through and analyze huge amounts of data. ElasticSearch's capacity to normalize language via language-specific analyzers and stemmers is one of its important features.

The $13.3 billion market's use of the incorrectly configured iFrame-resizer library is the root of the problem. Cross-site search vulnerability occurs when this library is used in environments where cross-origin communication is unrestricted. This problem resulted from OpenSea's lack of restrictions.

Misconfiguration permits the existence of this bug and user identity exposure. Given that the NFT ecosystem is solely predicated on anonymity, this kind of weakness might have major financial repercussions for OpenSea because, if exploited, the attacker could conduct phishing assaults. They could also keep tabs on those who made the most expensive NFT purchases.

Immediately after the vulnerability was made public, OpenSea patched it by limiting cross-origin communication. This reduced the vulnerability's potential for further exploitation. In order to stop the exploitation of these platforms, it is crucial to be constantly on the lookout for inherent faults and vulnerabilities.


OpenSea Warns of Discord Channel Hack

 

The nonfungible token (NFT) marketplace OpenSea had a server breach on its primary Discord channel, with hackers posting phoney "Youtube partnership" announcements. A screenshot shared on Friday reveals a phishing site linked to fraudulent collaboration news. 

The marketplace's Discord server was hacked Friday morning, according to OpenSea Support's official Twitter account, which urged users not to click links in the channel. OpenSea has "partnered with YouTube to bring their community into the NFT Space," according to the hacker's original post on the announcements channel. 

It also stated that they will collaborate with OpenSea to create a mint pass that would allow holders to mint their project for free. The attacker appeared to have been able to stay on the server for a long time before OpenSea staff was able to recover control. The hacker uploaded follow-ups to the initial totally bogus statement, reiterating the phoney link and saying that 70% of the supply had already been coined, in an attempt to generate "fear of missing out" in the victims. 

The scammer also tried to persuade OpenSea users by claiming that anyone who claimed the NFTs would receive "insane utilities" from YouTube. They state that this offer is one-of-a-kind and that there would be no other rounds to engage in, which is typical of scammers. As of this writing, on-chain data indicates that 13 wallets have been infiltrated, with the most valued stolen NFT being a Founders' Pass worth about 3.33 ETH ($8,982.58). 

According to initial reports, the hacker used webhooks to get access to server controls. A webhook is a server plugin that lets other software get real-time data. Hackers are increasingly using webhooks as an attack vector since they allow them to send messages from official server accounts. The OpenSea Discord server isn't the only one that uses webhooks. 

In early April, a similar flaw enabled the hacker to utilise official server identities to post phishing links on several popular NFT collections' channels, including Bored Ape Yacht Club, Doodles, and KaijuKings.