About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Check Point Research Prevents Theft of Crypto Wallets on OpenSea, the World’s Largest NFT Marketplace- 650

Checkpoint ResearchPosted 4 Years Ago
  • During the week, a few people had their crypto wallets completely drained. This mainly happened on free gift schemes. As a result, some people decided to take a look into what was going on.
  • OpenSea allows anyone to create art and sell them on its market place, the art can be anything that ends with the following extensions: JPG, PNG, GIF, SVG, MP4, WEBM, MP3, WAV, OGG, GLB, GLTF. When you go to the page with the asset, this image is displayed on the website.
  • SVGs are much more powerful than they should. Hence, many sites do not host them, such as Flickr. SVGs can execute JavaScript, by design. Do you see where I'm going here?
  • By creating a malicious SVG to be stored on OpenSea, the website would render this for us! Since it used our SVG, this gives us JavaScript execution in the context of their website (XSS).
  • Since this website is supposed to interact with the Crypto wallet, you would have allowed this to happen on the browser plugin, such as Metamask. With code execution within the context of the page, we could call the MetaMask APIs to transfer funds!
  • Initially, the ethereum object was not in the page. But, by sending the SVG with an iFrame in the middle of it the ethereum object will be loaded. This now allows for the usage of the plugin APIs.
  • The user needs to approve the operation. However, since the operation is coming from OpenSea directly, they would likely accept the transfer. The request itself looks benign, a simple wallet signing request.
  • Users should note that OpenSea does not request wallet approval for viewing or clicking third party links. Such activity is highly suspicious and users should not interact with wallet approvals that are unrelated to OpenSea specific actions such as buying, making an offer, liking an image.
  • This is a fascinating attack that combined the crypto and web worlds. Good findings from Checkpoint!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed