Analysis now shows that some of the NFT projects might be creating collections of their own by targeting users’ private data. Metamask and OpenSea have logged cases of IP address leaks linked with transferring nonfungible tokens (NFTs), based on the researchers at Convex Labs and OMNIA protocol.
The head of research at NFT organization Convex Labs, Nick Bax, tested out the way NFT marketplaces like OpenSea let attackers or vendors harvest or steal IP addresses. He came up with a listing for a Simpsons and South Park crossover image that he entitled “I just right click + saved your IP address”.
He used the image to prove and determine that when the nonfungible token listing gets viewed, it loads custom code, which then logs the viewer’s IP address and shares it with the vendor.
This NFT logs your IP address:https://t.co/hB34JuJLH9
🧵
— Nick (Bax.eth) (@bax1337) January 24, 2022
Bax admitted in a Twitter thread that he “does not consider my OpenSea IP logging NFT to be a vulnerability” since that is simply “the way it works.” It is crucial to note that NFTs are at their core, a piece of software code or digital data that can be pulled or pushed. It is most common for the real image to be stored in a remote server, while just the asset’s URL is on-chain.
Whenever an NFT is transferred to a blockchain address, the receiving crypto wallet fetches the remote image from the URL that is mainly associated with the NFT. Bax also explained the technical details through a Convex Labs Medium post that OpenSea enables NFT creators to add extra metadata that enables file extensions for HTML pages.
In case the metadata is primarily stored as a JSON file on a decentralized storage network like IPFS or the remote centralized cloud servers, then OpenSea can download this image just like an “invisible image” pixel logger and even host it on its server.
Therefore, when a possible buyer views the NFT on OpenSea, it loads the HTML page and fetches the invisible pixel that shows a user’s IP address and other data including browser version, geolocation, and operating system.
The co-founder of the privacy node service OMNIA Protocol, analyst Alex Lupascu, conducted his research with the Metamask mobile app with the same effects. He noted that a liability that enables vendors to send an NFT to a Metamask wallet and get a user’s IP address. He minted his NFT on OpenSea and then transferred the ownership of the NFT through airdrop to his Metamask wallet, and then concluded finding a ‘critical privacy vulnerability.’
My team and I discovered a critical privacy #vulnerability in the most popular #crypto #wallet.
Are you using MetaMask ?
Well, I have bad news for you – your #privacy is at risk!@samczsun @gakonst @VitalikButerin @cz_binance @phildaian https://t.co/ar30UMzR1G— Alex Lupascu (@alxlpsc) January 20, 2022
In his Medium post, Lupascu described the possible consequences of the way a:
“Malicious actor can mint an NFT with the remote image hosted on his server, then airdrop this collectible to a blockchain address (victim) and obtain his IP address.”
He worries that if an attacker collects many of these NFTs, points them all to one URL, and airdrops them to millions of wallets, then it may result in a massive scale distributed denial-of-service (DDoS) attack. The leaked personal data may result in kidnappings as Lupascu mentioned.
He said that a possible solution might be needing total user consent when it comes to the matters of fetching the remote image of the NFT: Metamask and all other wallets would have to prompt the user that a person on OpenSea or any other exchange wants to fetch the remote image of the NFT, and inform the user that their IP address might be exposed.
The CEO of Metamask, Dan Finlay, responded to Lupascu on Twitter saying that although “the issue has been known for a long time,” currently they are beginning to work on fixing it and enhancing user privacy and safety.
On the same day, even Vitalik Buterin saw the challenge of off-chain privacy within Web3. During a recent UpOnly podcast episode, Buterin insisted:
“The fight for more privacy is an important one. People are underestimating the risks of no privacy,” adding that the “more crypto-y everything becomes,” the more exposed we are.
1 comment