OpenSea has just patched a critical vulnerability that could have been abused by malicious actors to drain cryptocurrency funds from a victim by sending a specially-crafted token in the form of a malicious NFT. When this malicious NFT is clicked, it results in a scenario whereby rogue transactions can be facilitated through a third-party wallet provider simply by providing a wallet signature to connect their wallets and perform actions on the targets’ behalf.
The investigation unraveling this findings started from cyber security firm Check Point Research this was after public reports of stolen cryptocurrency wallets triggered by free airdropped NFTs. The issues were fixed within an hour of disclosure on September 26, 2021.
“Left unpatched, the vulnerabilities could allow hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs,” Check Point researchers said.
There so far has been no instance of where this vulnerability has been exploited in the wild but OpenSea has also stated that it’s working with third-party wallet services to “help users better identify malicious signature requests, as well as other initiatives to help users thwart scams and phishing attacks with greater efficacy.