After finding itself embroiled in a controversy over insider trading, NFT marketplace OpenSea is getting some more bad press. The site had a critical security vulnerability that could have allowed hackers to steal users’ entire crypto wallets, according to security research firm Check Point Software.
Check Point said it first noticed reports of stolen crypto wallets triggered by airdropped NFTs, prompting the firm to investigate OpenSea. That revealed critical security discoveries “that, if exploited, could have led hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs,” the company said.
The attack relied on user inattention and the fact that OpenSea already generates a lot of pop-ups. If the victim received and viewed a malicious NFT sent by a hacker, it triggered a pop-up from OpenSea’s storage domain, requesting a connection to the victim’s cryptocurrency wallet. Clicking on the popup gave the hacker access to the wallet and allowed them to generate another popup. If the user also clicked on that without noticing a note describing the transaction, the attacker could theoretically steal all their money.