Explained: The OpenSea Wallet Takeover Vulnerability

The OpenSea vulnerability was exploited via the use of malicious non-fungible tokens (NFTs).  The attacker would airdrop these tokens to targets for free, which caused them to show up in the target’s OpenSea account.

The presence of an NFT in the target’s account wasn’t enough to exploit the vulnerability.  For the attack to execute, the user would need to actually view the image associated with the NFT such as opening it in a new tab.

Upon opening the NFT, a popup would appear from MetaMask or similar cryptocurrency wallet extensions asking if the user wanted to allow storage.opensea.io to connect to their wallet.  If they approved this, a second popup would appear asking the user to approve a transaction that transferred all of the value in their wallet to the attacker’s account.

Under the hood, the gift NFT sent to the user included an image that included executable code.  If the user opened the image, the embedded JavaScript code would execute within the storage.opensea.io subdomain.  Once connected, the malicious code could interact with MetaMask via an RPC API, allowing it to perform the malicious transaction that drains the target’s wallet.

This attack took advantage of victims clicking on and approving events without understanding what they meant.  The fact that the malicious JavaScript was executed under the storage.opensea.io subdomain gave the request for a connection to the wallet a level of legitimacy.  The follow-up transaction request then took advantage of the fact that users may not know what is going on and feel that the transaction is necessary to accept the NFT or something similar.

OpenSea has since fixed the vulnerability, but it underscores the importance of being cautious when working in the crypto space.  Accepting unknown NFTs and approving transactions without knowing what they are doing can place a user’s cryptocurrency holdings at risk.