Security flaws at NFT marketplace OpenSea left users' crypto wallets open to attack

The flaws, discovered by Check Point Software researchers, were promptly fixed.

Sponsored Links

OpenSea logo displayed on a phone screen and representation of cryptocurrencies are seen in this illustration photo taken in Krakow, Poland on August 26, 2021. (Photo by Jakub Porzycki/NurPhoto via Getty Images)
NurPhoto via Getty Images

After finding itself embroiled in a controversy over insider trading, NFT marketplace OpenSea is getting some more bad press. The site had a critical security vulnerability that could have allowed hackers to steal users' entire crypto wallets, according to security research firm Check Point Software.  

Check Point said it first noticed reports of stolen crypto wallets triggered by airdropped NFTs, prompting the firm to investigate OpenSea. That revealed critical security discoveries "that, if exploited, could have led hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs," the company said. 

The attack relied on user inattention and the fact that OpenSea already generates a lot of pop-ups. If the victim received and viewed a malicious NFT sent by a hacker, it triggered a pop-up from OpenSea's storage domain, requesting a connection to the victim's cryptocurrency wallet. Clicking on the popup gave the hacker access to the wallet and allowed them to generate another popup. If the user also clicked on that without noticing a note describing the transaction, the attacker could theoretically steal all their money.  

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

It seemed that a lot of things needed to go wrong for the attack to work, and it's not clear if it was actively exploited. Check Point said it disclosed the vulnerability as soon as it found it, and OpenSea said it implemented a fix "within an hour of it being brought to our attention." The company said it's "doubling down on community education around security," by adding a blog series and taking other measures. 

The security research firm said that given the rapid pace of innovation, "there is an inherent challenge in securely integrating software applications and crypto markets." Bad actors are also drawn to crypto like wasps to pain au chocolat, so it's likely we'll hear about similar attacks in the near future. 

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
Popular on Engadget