A Rare Flaw In The NFT Market Could Have Allowed Attackers To Hijack Crypto Wallets

Cybersecurity researchers have revealed a now-patched security flaw in the Rarible Non-Fungible Token (NFT) market that, if successfully exploited, could have led to account takeover and theft of crypto-assets. cash.

“By tricking victims into clicking on a malicious NFT, an attacker can take full control of the victim’s crypto wallet to steal funds,” said Check Point researchers Roman Zaikin, Dikla Barda and Oded Vanunu. mentioned in a report shared with The Hacker News.

Rarible, an NFT marketplace that allows users to create, buy, and sell NFT digital art like photographs, games, and memes, has over 2.1 million active users.

cyber security

“There is still a huge gap between, in terms of security, between Web2 and Web3 infrastructure,” Vanunu, head of product vulnerability research at Check Point, said in a statement shared with The Hacker News.

“Any small vulnerability can potentially allow cybercriminals to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols are lacking from a security perspective. The implications following a cryptographic hack can be extreme.”

The modus operandi of the attack relies on a malicious actor sending a link to a rogue NFT (e.g. an image) to potential victims which, when opened in a new tab, executes arbitrary JavaScript code, potentially allowing the attacker to gain full control over their NFTs. by sending a setApprovalForAll request to the wallet.

the API setApprovalForAll allows a marketplace (in this case, Rarible) to transfer sold items from the seller’s address to the buyer’s address based on the implemented smart contract.

“This feature is very dangerous by design because it can allow anyone to control your NFTs if you are tricked into signing it,” the researchers pointed out.

cyber security

“Users don’t always know exactly what permissions they are granting when signing a transaction. Most of the time the victim assumes that these are regular transactions when in fact they were giving control over their own NFTs.”

By granting the request, the fraudulent scheme effectively allows the adversary to transfer all NFTs from the victim’s account, which can then be sold by the attacker in the marketplace for a higher price.

As a security measure, users are recommended to carefully review transaction requests before providing any type of authorization. Previous token approvals can be reviewed and revoked by visiting Etherscan Token Trust Checker tool.

“NFT users should be aware that there are various wallet applications – some of them are used only to connect the wallet, but others can provide full access to their NFTs and Tokens,” the researchers said. .

We want to say thanks to the author of this post for this awesome material

A Rare Flaw In The NFT Market Could Have Allowed Attackers To Hijack Crypto Wallets

You can find our social media pages here and additional related pages here.https://metfabtech.com/related-pages/