This proof of concept NFT can swipe unsuspecting users' IP addresses

3 months ago 69

Both OpenSea and Metamask person logged cases of IP code leaks associated with transferring NFTs, according to researchers astatine Convex Labs and OMNIA protocol.

Nick Bax, caput of probe astatine NFT enactment Convex Labs tested retired however NFT marketplaces similar OpenSea let vendors oregon attackers to harvest IP addresses. He created a listing for a Simpsons and South Park crossover image, entitling it “I conscionable close click + saved your IP address” to beryllium that erstwhile the NFT listing is viewed, it loads customized codification that logs the viewer's IP code and shares it with the vendor.

— bax.eth (@bax1337) January 24, 2022

In a Twitter thread, Bax admitted that helium "does not see my OpenSea IP logging NFT to beryllium a vulnerability" due to the fact that that is simply "the mode it works." It's important to retrieve that NFTs are astatine their halfway a portion of bundle codification oregon integer information that tin beryllium pushed oregon pulled. It is rather communal for the existent representation oregon plus to beryllium stored connected a distant server, portion lone the asset's URL is on-chain. When an NFT is transferred to a blockchain address, the receiving crypto wallet fetches the distant representation from the URL associated with the NFT.

Bax further explained the method details successful a Convex Labs Medium station that OpenSea allows NFT creators to adhd additional metadata that enables record extensions for HTML pages. If the metadata is stored arsenic a json record connected a decentralized retention web specified arsenic IPFS oregon connected distant centralized unreality servers, past OpenSea tin download the representation arsenic good arsenic an “invisible image” pixel logger and big it connected its ain server. Thus erstwhile a imaginable purchaser views the NFT connected OpenSea, it loads the HTML leafage and fetches the invisible pixel that reveals a user’s IP code and different information similar geolocation, browser mentation and operating system.

Analyst Alex Lupascu, co-founder of the privateness node work OMNIA Protocol, conducted his ain probe with the Metamask mobile app with akin effects. He discovered a liability that allows a vendor to nonstop an NFT to a Metamask wallet and get a user's IP address.  He minted his ain NFT connected OpenSea and transferred the ownership of the NFT via airdrop to his Metamask wallet, and concluded uncovering a "critical privateness vulnerability." 

— Alex Lupascu (@alxlpsc) January 20, 2022

Related: MetaMask’s caller inbuilt multichain organization custody feature

In a Medium post, Lupascu described the imaginable consequences of however a "malicious histrion tin mint an NFT with the distant representation hosted connected his server, past airdrop this collectible to a blockchain code (victim) and get his IP address." His interest is that if an attacker gathers a postulation of NFTs, points each of them to a azygous URL and airdrops them to millions of wallets, past it could effect successful a ample standard distributed denial-of-service, oregon DDoS attack. Having idiosyncratic information leaked tin besides pb to kidpnapping, according to Lupascu. 

He besides suggested a imaginable solution could beryllium requiring explicit idiosyncratic consent erstwhile it comes to fetching the distant representation of the NFT: Metamask oregon immoderate different wallet would punctual the idiosyncratic that idiosyncratic connected OpenSea oregon different speech is fetching the distant representation of the NFT, and informing the idiosyncratic that his oregon her IP code whitethorn beryllium exposed.

Dan Finlay, CEO of Metamask, responded to Lupascu connected Twitter stating that adjacent though "the contented has been known for a agelong time" they are present starting enactment to hole it and amended idiosyncratic information and privacy.

That aforesaid day, adjacent Vitalik Buterin recognized the challenges of off-chain privateness wrong Web3. On a caller UpOnly podcast episode, Buterin said that "the combat for much privateness is an important one. People are underestimating the risks of nary privacy," adding that the "more crypto-y everything becomes," the much exposed we are.

Read Entire Article