Both OpenSea and Metamask have reported cases of IP address leaks associated with the transfer of NFTs, according to researchers at Convex Labs and OMNIA Protocol.
NickBax, head of research at the NFT organization, Convex Labs, tested how NFT marketplaces like OpenSea allow sellers or attackers to harvest IP addresses. Created a Simpsons and South Park-style one-image ad with the title “I just right click + saved your IP address” to demonstrate that when the NFT ad is viewed, a custom code is loaded that logs the address Visitor’s IP and share it with the seller.
This NFT logs your IP address:https://t.co/hB34JuJLH9
— bax.eth (@bax1337) January 24, 2022
This NFT records your IP address.
In a Twitter thread, Bax admitted that “doesn’t consider my OpenSea IP Logging NFT to be a vulnerability” because it’s just “the way it works”. It is important to remember that NFTs are essentially a piece of software code or digital data that can be embedded or extracted. It is quite common for the actual image or asset to be stored on a remote server, while only the asset URL is on-chain. When an NFT is transferred to a blockchain address, the receiving wallet gets the remote image from the URL associated with the NFT.
Bax further explained the technical details in a Convex Labs Medium post, where he says that OpenSea allows NFT creators to add additional metadata that enables file extensions to HTML pages. If the metadata is stored as a json file on a decentralized storage network like IPFS or on remote centralized cloud servers, then OpenSea can download the image as well as an “invisible image” pixel logger and host it on its own server. Thus, when a potential buyer views the NFT on OpenSea, they load the HTML page and retrieve the invisible pixel that reveals the user’s IP address and other data such as geographic location, browser version, and operating system.
the analyst Alex Lupascu, co-founder of OMNIA Protocol privacy node service, conducted their own research using the Metamask mobile app with similar effects. He discovered a vulnerability that allows a seller to send an NFT to a Metamask wallet and obtain a user’s IP address. He minted his own NFT on OpenSea and transferred ownership of the NFT via airdop to Metamask wallet, ultimately finding a “critical privacy vulnerability.”
My team and I discovered a critical privacy #vulnerability in the most popular #crypto #wallet.
Are you using MetaMask ?
Well, I have bad news for you – your #privacy is at risk!@samczsun @gakonst @VitalikButerin @cz_binance @phildaian https://t.co/ar30UMzR1G— Alex Lupascu (@alxlpsc) January 20, 2022
My team and I discovered a critical privacy vulnerability in the most popular cryptocurrency wallet.
Are you using MetaMask?
Well, I have bad news for you: your privacy is at risk!
In a Medium post, Lupascu outlined the possible consequences of how a “malicious actor can mint an NFT with the remote image hosted on their server, and then send this collectible to a (victim) blockchain address and obtain their IP address.” Their concern is that if an attacker assembles a collection of NFTs, points them all to a single URL, and sends them to millions of wallets, then it could lead to a Distributed Denial of Service (DDoS) attack on big scale. According to Lupascu, the leak of personal data can also lead to kidnapping.
He also suggested that a possible solution could be to require the explicit consent of the user when obtaining the remote image of the NFT: Metamask or any other wallet would alert the user that someone from OpenSea or another market is getting the remote image of the NFT, and inform the user that their IP address may be exposed.
Dan Finley, Metamask CEO, answered to Lupascu on Twitter stating that, although “the problem has been known for a long time”, now they are starting to work to fix it and improve the security and privacy of users.
That same day, even Vitalik Buterin acknowledged the challenges around off-chain privacy within Web 3.0. In a recent episode of the UpOnly podcast, Buterin said that “the fight for more privacy is important. People underestimate the risks of not having privacy”, and added that the “more crypto everything becomes”, the more exposed we are.
Keep reading: