Proof Of Concept NFT Can Swipe Unsuspecting User's IP Address

It turns out that some NFTs may be building their own collections. Their goal? Your personal data.

This proof of concept NFT can swipe the IP address of an unsuspecting user

According to researchers at Convex Labs and the OMNIA protocol, both OpenSea and Metamask have documented cases of IP address leaks associated with NFT transfers.

Nick Bax, head of research at NFT Convex Labs, tested how NFT marketplaces like OpenSea allow vendors or attackers to collect IP addresses. He created a listing for the Simpsons and South Park intersection, allowing it to “Just right click + save your IP” to demonstrate that when the NFT listing is viewed, it loads custom code that records the viewer’s IP address and shares it with the provider.

In a Twitter thread, Bax admitted that he “doesn’t consider NFT logging my OpenSea IP a security hole” because that’s simply “the way it works.” It’s important to remember that NFTs are at their core a piece of software code or digital data that can be pushed or pulled. It is quite common for the actual image or content to be hosted on a remote server, while only the URL of the asset is on-chain. When an NFT is transferred to a blockchain address, the receiving crypto wallet fetches the remote image from the URL associated with the NFT.

Bax further explains the technical details in a Convex Medium Lab post that OpenSea allows NFT creators to add additional metadata that allows file extensions for HTML pages. If the metadata is stored as a json file on a decentralized storage network like IPFS or on remote centralized cloud servers, OpenSea can download the image as well as the “invisible image” pixel logger. ” and host it on its own server. So, when a potential buyer views the NFT on OpenSea, it loads an HTML page and fetches a hidden pixel showing the user’s IP address and other data like geographic location, browser version, and operating system. onion.

Analyst Alex Lupascu, co-founder of privacy node service OMNIA Protocol, did his own research with the Metamask mobile app with similar effects. He discovered a liability that allows the provider to send NFTs to the Metamask wallet and obtain the user’s IP address. He minted his own NFT on OpenSea and transferred ownership of the NFT via airdrop to his Metamask wallet, and concluded to have found a “serious vulnerability”.

Related: MetaMask .’s New Built-In Diversity Institutional Custody

In a Medium post, Lupascu described the potential consequences of a “malicious person being able to create an NFT with remote images stored on his server, and then distribute the collection to a blockchain address (the victim) and get his IP address.” His concern is that if an attacker collects a collection of NFTs, points them all to a single URL, and transfers them to millions of wallets, that could lead to a denial-of-translation attack. large-scale distributed or DDoS service. According to Lupascu, the leak of personal data can also lead to fraud.

He also suggested a potential solution that could require explicit consent from the user when fetching NFT remote images: Metamask or any other wallet would prompt the user that someone is on OpenSea or an exchange another transaction is fetching a remote image of the NFT and notifying the user that their IP address may be exposed.

Dan Finlay, CEO of Metamask, answered for Lupascu on Twitter saying that while the “issue has been known for a long time,” they are currently starting work to fix it and improve user safety and privacy.

That same day, even Vitalik Buterin recognized the off-chain privacy challenges in Web3. On a recent episode of the UpOnly podcast, Buterin said that “the battle for more privacy is an important one. People are underestimating the risks of not having privacy,” adding that “the more crypto becomes, the more exposure we have.

Đăng nhận xét

Mới hơn Cũ hơn