Non-fungible token marketplace OpenSea has reportedly patched a vulnerability that, if exploited, could reveal identifying information about its anonymous users.
In a March 9 blog post, cybersecurity firm Imperva detailed how it discovered the vulnerability, which it claimed could de-anonymize OpenSea users “by linking an IP address, a browser session, or an email under certain circumstances” to an NFT .
Because the NFT matches the address of a cryptocurrency wallet, a user’s real identity can be revealed from the information collected and linked to the wallet and its activity, Imperva explains.
Imperva Red Team discovered a cross-site search vulnerability that compromised the #NFT marketplace #Open sea.
This vulnerability allows user de-anonymization, potentially revealing a user’s identity. https://t.co/nGQWceeGEc
— Imperva (@Imperva) March 9, 2023
The exploit allegedly exploited a cross-site search vulnerability. Imperva alleged that OpenSea misconfigured a library that resizes web page elements that load HTML content from elsewhere typically used to post ads, interactive content, or embedded videos.
Because OpenSea did not limit this library’s communications, exploiters could use the information it broadcasts as an “oracle” to narrow down when searches return no results, because the web page would then be smaller.
Imperva explained that an attacker would send their target a link via email or SMS, which, if clicked, “reveals valuable information such as the target’s IP address, user agent, device details, and software versions.”
The attacker would then use OpenSea’s vulnerability to extract their target’s NFT names and match the associated wallet address with identifying information, such as an email address or phone number to which the original link was sent.
Imperva said OpenSea “addressed the issue quickly” and appropriately restricted the library’s communications, reporting that the platform was “no longer at risk of such attacks.”
Related: Security team creates dashboard to detect potential NFT hacks in OpenSea
Users of the platform have long been victims of attacks that mimic OpenSea functions to perform exploits, such as phishing websites similar to the platform or signature requests that appear to come from OpenSea.
OpenSea itself was criticized for its platform security due to a major phishing attack in February 2022 that resulted in the theft of NFTs worth more than $1.7 million from users.
As for the recent patch, it is unknown how long it existed and whether any users were affected by the exploit.
OpenSea did not immediately respond to Cointelegraph’s request for comment.