Security News > 2021 > October > Critical Flaw in OpenSea Could Have Let Hackers Steal Cryptocurrency From Wallets
A now-patched critical vulnerability in OpenSea, the world's largest non-fungible token marketplace, could've been abused by malicious actors to drain cryptocurrency funds from a victim by sending a specially-crafted token, opening a new attack vector for exploitation.
The findings come from cybersecurity firm Check Point Research, which began an investigation into the platform following public reports of stolen cryptocurrency wallets triggered by free airdropped NFTs. The issues were fixed in less than one hour of responsible disclosure on September 26, 2021.
"Left unpatched, the vulnerabilities could allow hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs," Check Point researchers said.
The modus operandi of the attack relies on sending victims a malicious NFT that, when clicked, results in a scenario whereby rogue transactions can be facilitated through a third-party wallet provider simply by providing a wallet signature to connect their wallets and perform actions on the targets' behalf.
OpenSea said it hasn't identified any instances where this vulnerability was exploited in the wild but added it's working with third-party wallet services to "Help users better identify malicious signature requests, as well as other initiatives to help users thwart scams and phishing attacks with greater efficacy."
"Blockchain innovation is fast-underway and NFTs are here to stay. Given the sheer pace of innovation, there is an inherent challenge in securely integrating software applications and crypto markets," said Oded Vanunu, head of products vulnerabilities research at Check Point.
News URL
Related news
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
- Cryptocurrency hackers stole $2.2 billion from platforms in 2024 (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)