Imperva’s threat team has announced uncovering a vulnerability affecting the largest non-fungible token (NFT) marketplace, OpenSea, valued at US$13.3 billion.
Imperva researchers demonstrated how an attacker could exploit a cross-site search vulnerability, potentially enabling an attacker to reveal a user's identity by linking an IP address, a browser session, or an email to a specific NFT and, therefore, a wallet address.
Given the premium placed on anonymity in the NFT realm, this type of exploit could have severely impacted OpenSea's business; potentially enabling an attacker to conduct targeted phishing attacks or to track which users had purchased high-value NFTs. However, Imperva notified OpenSea of the vulnerability, and the company quickly issued a patch restricting cross-origin communication, mitigating the risk of further exploitation. The Imperva Red Team validated the fix.
Interestingly, the vulnerability was created because of a misconfiguration of the iFrame-resizer open-source library used by OpenSea, which enabled the cross-site search vulnerability to exist, leading to the potential exposure of user identities. Notably, the researchers also ascertained that OpenSea used the ElasticSearch search tool after seeing the company advertise for ElasticSearch skills in a job advert.
Cross-site search (XS-Search) is a vulnerability in web applications that use query-based search systems. It allows an attacker to extract sensitive information from a different origin by sending queries and observing differences in the behaviour of the search system when it returns or doesn't return results. The attacker incrementally gathers information by sending multiple queries, using the distinguishable differences in the system's behaviour to extract more and more information.
OpenSea did not restrict cross-origin communication, enabling attackers to exploit this vulnerability through cross-site search attacks. The iFrame-resizer library broadcasts the width and height of the page, which can be used as an “oracle” to determine when a given search returns results because the page is smaller when a search returns zero results. By continuously searching the user’s assets, which is done cross-origin through a tab or popup, an attacker can leak the name of an NFT created by the user, thereby revealing their public wallet address. This information can associate the user’s identity with the leaked NFT and public wallet address.
This example highlights businesses' ongoing challenges in ensuring security in increasingly complex application environments, where misconfigurations are easily overlooked and exploited, particularly in newer decentralised app environments.
“The world of Web3 and decentralised applications (dApps) is rapidly expanding, bringing with it a host of new possibilities and challenges. As the popularity of dApps grows, so does the potential for security breaches and vulnerabilities," says Ron Masas, a security researcher at Imperva.
“Recent years have seen several high-profile hacks and vulnerabilities affecting popular Web3 platforms, highlighting the need for developers to prioritise security and privacy. From the infamous DAO hack on the Ethereum blockchain to more recent hacks targeting cross-chain bridges, it is clear that the security of Web3 applications must be a top priority."
“The vulnerability detected in OpenSea highlights the dangers of cross-origin communication, which can lead to XS-Leaks and other vulnerabilities. We appreciate OpenSea’s prompt response in addressing the security issue and working with us to mitigate it. Our team is dedicated to identifying and reporting vulnerabilities and collaborating with software providers to improve the safety and security of their platforms,” he concludes.