Cyber-security firm Imperva recently uncovered a serious security flaw on OpenSea, the world’s largest NFT marketplace, that could have been exploited to steal users' identities.
A team at Imperva called the Red Team exposed a major security flaw on OpenSea that left the site’s users vulnerable to identity theft.
The Red Team discovered that the site’s cross-site search (XS-Search) had a bug that a hacker could use to uncover a user’s identity.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe - We publish new crypto explainer videos every week!
Where to Trade Crypto: 3 Best Approaches Explained (Animated)
To uncover a user’s true identity, a hacker only needed to link an IP address, email, or browser session to a given NFT, which would give them access to a wallet address, revealing the user’s identity. Consequently, it would take away anonymity on OpenSea.
However, the security flaw has now been fixed. The fix was announced just four days after Imperva published its detailed report. While shocking, it is not the first time OpenSea has faced a security issue.
Malicious actors would usually target OpenSea users by creating fake copies of its official site in an attempt to steal customer data. The platform suffered a major phishing incident in February 2022, leading to users losing $1.7 million of NFTs.
In another incident in October 2021, Check Point detailed how OpenSea users could have their accounts drained by hackers. At that time, Check Point claimed that users would receive a malicious NFT gift, giving hackers full access to their account holdings.
OpenSea has not revealed whether anyone fell victim to the latest security vulnerability. Additionally, no one has complained about losing their NFTs to malicious actors.
At the end of February, OpenSea declared plans to decrease fees and offer enhanced creator royalties as rival marketplaces keep stealing its once-leading user base.