Security flaws at NFT marketplace OpenSea left users' crypto wallets open to attack

The flaws, discovered by Check Point Software researchers, were promptly fixed.

NurPhoto via Getty Images

After finding itself embroiled in a controversy over insider trading, NFT marketplace OpenSea is getting some more bad press. The site had a critical security vulnerability that could have allowed hackers to steal users' entire crypto wallets, according to security research firm Check Point Software.

Check Point said it first noticed reports of stolen crypto wallets triggered by airdropped NFTs, prompting the firm to investigate OpenSea. That revealed critical security discoveries "that, if exploited, could have led hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs," the company said.

The attack relied on user inattention and the fact that OpenSea already generates a lot of pop-ups. If the victim received and viewed a malicious NFT sent by a hacker, it triggered a pop-up from OpenSea's storage domain, requesting a connection to the victim's cryptocurrency wallet. Clicking on the popup gave the hacker access to the wallet and allowed them to generate another popup. If the user also clicked on that without noticing a note describing the transaction, the attacker could theoretically steal all their money.

It seemed that a lot of things needed to go wrong for the attack to work, and it's not clear if it was actively exploited. Check Point said it disclosed the vulnerability as soon as it found it, and OpenSea said it implemented a fix "within an hour of it being brought to our attention." The company said it's "doubling down on community education around security," by adding a blog series and taking other measures.

The security research firm said that given the rapid pace of innovation, "there is an inherent challenge in securely integrating software applications and crypto markets." Bad actors are also drawn to crypto like wasps to pain au chocolat, so it's likely we'll hear about similar attacks in the near future.