Critical security issues in the OpenSea NFT marketplace that allowed attackers to steal cryptocurrency wallet funds have been patched.
NFTs, also known as non-fungible tokens, are digital assets that can be sold and traded on the blockchain. While some NFTs — from a pixel cartoon to a popular meme — can reach a sale price of millions of dollars, the popularity of this phenomenon has also created a new attack vector for exploitation.
On Wednesday, the Check Point Research (CPR) team said that flaws in the OpenSea NFT marketplace could have allowed “hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs.”
An investigation was launched after reports surfaced of malicious NFTs, airdropped for free, being used as conduits for cryptocurrency theft and account hijacking.
The NFT itself, and the airdrop, was not the source of the issue. Instead, once an NFT had been gifted to a potential victim, they would view it — and then a pop-up would trigger, requesting a signature to connect to a wallet. A secondary signature request prompt would then appear, and if accepted, could grant attackers access to an unwitting user’s wallet, funds, and more.
In OpenSea’s case,