This proof-of-concept NFT can sweep the IP addresses of unsuspecting users

Both OpenSea and Metamask have recorded instances of IP address leaks associated with NFT forwarding, according to researchers from Conve...



Both OpenSea and Metamask have recorded instances of IP address leaks associated with NFT forwarding, according to researchers from Convex Labs and OMNIA Protocol.

Nick Bax, head of research at the NFT organization Convex Labs, tested how NFT marketplaces like OpenSea allow vendors or attackers to harvest IP addresses. He created a listing for a Simpsons and South Park crossover image, titled it “I just right click + saved your IP address” to prove that when the NFT listing is accessed it loads a custom code that saves the address Viewer IP and share it with seller.

In a Twitter thread, Bax admitted that he “doesn’t consider my OpenSea IP logging NFT a vulnerability” because that’s just “the way it works”. It’s important to remember that NFTs are essentially a piece of software code or digital data that can be pushed or pulled. It is quite common that the actual image or asset is stored on a remote server, while only the asset URL is on string. When an NFT is transferred to a blockchain address, the receiving crypto wallet retrieves the remote image from the URL associated with the NFT.

Bax further Explain the technical details in a Convex Labs Medium article that OpenSea allows NFT creators to add additional metadata which enables file extensions for HTML pages. If the metadata is stored as a JSON file on a decentralized storage network such as IPFS or on remote centralized cloud servers, then OpenSea can download the image along with an “invisible image” pixel logger and host it on its own server. So when a potential buyer views the NFT on OpenSea, they load the HTML page and retrieve the web beacon that reveals a user’s IP address and other data such as geolocation, browser version, and system operating.

Analyst Alex Lupascu, co-founder of privacy node service OMNIA Protocol, conducted his own research with the Metamask mobile app with similar effects. He discovered a liability that allows a provider to send an NFT to a Metamask wallet and obtain a user’s IP address. He created his own NFT on OpenSea and transferred ownership of the NFT via airdrop to his Metamask wallet, and concluded that he discovered a “critical privacy vulnerability”.

Related: MetaMask’s New Integrated Multi-Chain Institutional Custody Feature

In a Medium post, Lupascu described the potential consequences of how a “malicious actor can create an NFT with the remote image hosted on their server, then drop that collectible on a blockchain address (victim) and get their IP adress”. His concern is that if an attacker gathers a collection of NFTs, points them all to a single URL, and dumps them on millions of wallets, it could lead to a large-scale distributed denial of service or DDoS attack. The leak of personal data can also lead to kidnappings, according to Lupascu.

He also suggested that a potential solution could require the user’s explicit consent when it comes to retrieving the remote image from the NFT: Metamask or any other wallet would tell the user that someone on OpenSea or another exchange retrieves the remote image from the NFT, and informs the user that their IP address may be exposed.

Dan Finlay, CEO of Metamask, responded to Lupascu on Twitter stating that although “the problem has been known for a long time”, they are now starting to work to resolve it and improve user security and privacy.

On the same day, even Vitalik Buterin acknowledged the off-chain privacy challenges within Web3. In a recent UpOnly podcast episode, Buterin said “the fight for more privacy is important. People underestimate the risks of no privacy,” adding that the more “everything becomes crypto-y,” the more we are. exposed.