Security News > 2022 > April > Rarible NFT Marketplace Flaw Could've Let Attackers Hijack Crypto Wallets

Cybersecurity researchers have disclosed a now-fixed security flaw in the Rarible non-fungible token marketplace that, if successfully exploited, could have led to account takeover and theft of cryptocurrency assets.

Rarible, an NFT marketplace that enables users to create, buy, and sell digital NFT art like photographs, games, and memes, has over 2.1 million active users.

"Any small vulnerability can possibly allow cyber criminals to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols are lacking from a security perspective. The implications following a crypto hack can be extreme."

The attack modus operandi hinges on a malicious actor sending a link to a rogue NFT to potential victims that, when opened in a new tab, executes arbitrary JavaScript code, potentially allowing the attacker to gain complete control over their NFTs by sending a setApprovalForAll request to the wallet.

In granting the request, the fraudulent scheme effectively permits the adversary to transfer all the NFTs from the victim's account, which can then be sold by the attacker on the marketplace for a higher price.

"NFT users should be aware that there are various wallet requests - some of them are used just to connect the wallet, but others may provide full access to their NFTs and Tokens," the researchers said.

News URL

https://thehackernews.com/2022/04/rarible-nft-marketplace-flaw-couldve.html