NFTs are still the talk of the town in the crypto world as Bored Apes, CryptoPunks and other popular NFTs sell for thousands — and in some cases — millions of dollars. Whether you’re an NFT creator or shopper, you’ve likely traded non-fungible tokens on OpenSea, the world’s largest NFT marketplace. However, its popularity comes at a price. It attracts crypto scammers who salivate over the thought of stealing from unsuspecting, vulnerable members.
Check Point, a cybersecurity research firm, found a critical flaw in the platform that put many OpenSea members at risk. Fortunately, OpenSea is aware of the vulnerability and worked on plugging the security holes.
OpenSea’s critical security flaws
OpenSea lets users mint any digital artwork into NFTs as long as they are one of the following extensions: JPG, PNG, GIF, SVG, MP4, WEBM, MP3, WAV, OGG, GLB, GLTF. It’s also worth noting that in order to buy and sell NFTs on OpenSea, members must connect a cryptocurrency wallet (e.g. Metamask) to the platform. Users are required to fund their wallet with cryptocurrencies (typically Ethereum) to pay for NFTs and/or gas fees.
As such, to test OpenSea’s network security, the Check Point Research team posed as a nefarious actor and embedded malicious code into an SVG image that is designed to lure unsuspecting victims into relinquishing their cryptocurrency wallets. As shown in the video below, the malicious act was successfully executed.
Fortunately, this attack vector no longer exists on the NFT marketplace. “OpenSea and Check Point worked together to make sure this attack flaw is now closed,” the report said.
Prior to patching the security flaw, Check Point investigators pointed out that hackers could steal cryptocurrencies by prompting victims to click on deceptive wallet approval windows after clicking on third-party links. For the uninitiated, before buying (or minting) an NFT on OpenSea, Metamask will launch a wallet approval window, prompting you to authorize (or reject) the transaction. This is normal behavior. However, if you see a wallet window randomly asking for your credentials after clicking on a third-party link, something is up!
“OpenSea does not request wallet approval for viewing or clicking third party links. Such activity is highly suspicious and users should not interact with wallet approvals that are unrelated to OpenSea specific actions,” the report said.
Check Point investigators warned that NFT buyers and sellers on OpenSea should be careful while interacting with their cryptocurrency wallets. It’s easy to mindlessly approve transactions, so it’s important to carefully review what’s being requested and determine whether it’s abnormal or harmless. “If you have any doubts, you should reject the request,” the report added.
Phishing isn’t the only way crypto scammers try to steal victims’ virtual assets. Check out our guide on the most popular hacks that plague the crypto world and how to avoid them.