This proof of concept NFT can swipe unsuspecting users' IP addresses

Published at: Jan. 27, 2022

Both OpenSea and Metamask have logged cases of IP address leaks associated with transferring NFTs, according to researchers at Convex Labs and OMNIA protocol.

Nick Bax, head of research at NFT organization Convex Labs tested out how NFT marketplaces like OpenSea allow vendors or attackers to harvest IP addresses. He created a listing for a Simpsons and South Park crossover image, entitling it “I just right click + saved your IP address” to prove that when the NFT listing is viewed, it loads custom code that logs the viewer's IP address and shares it with the vendor.

This NFT logs your IP address:https://t.co/hB34JuJLH9

— bax.eth (@bax1337) January 24, 2022

In a Twitter thread, Bax admitted that he "does not consider my OpenSea IP logging NFT to be a vulnerability" because that is simply "the way it works." It's important to remember that NFTs are at their core a piece of software code or digital data that can be pushed or pulled. It is quite common for the actual image or asset to be stored on a remote server, while only the asset's URL is on-chain. When an NFT is transferred to a blockchain address, the receiving crypto wallet fetches the remote image from the URL associated with the NFT.

Bax further explained the technical details in a Convex Labs Medium post that OpenSea allows NFT creators to add additional metadata that enables file extensions for HTML pages. If the metadata is stored as a json file on a decentralized storage network such as IPFS or on remote centralized cloud servers, then OpenSea can download the image as well as an “invisible image” pixel logger and host it on its own server. Thus when a potential buyer views the NFT on OpenSea, it loads the HTML page and fetches the invisible pixel that reveals a user’s IP address and other data like geolocation, browser version and operating system.

Analyst Alex Lupascu, co-founder of the privacy node service OMNIA Protocol, conducted his own research with the Metamask mobile app with similar effects. He discovered a liability that allows a vendor to send an NFT to a Metamask wallet and obtain a user's IP address.  He minted his own NFT on OpenSea and transferred the ownership of the NFT via airdrop to his Metamask wallet, and concluded finding a "critical privacy vulnerability." 

My team and I discovered a critical privacy #vulnerability in the most popular #crypto #wallet.Are you using MetaMask ?Well, I have bad news for you - your #privacy is at risk!@samczsun @gakonst @VitalikButerin @cz_binance @phildaian https://t.co/ar30UMzR1G

— Alex Lupascu (@alxlpsc) January 20, 2022

Related: MetaMask’s new inbuilt multichain institutional custody feature

In a Medium post, Lupascu described the potential consequences of how a "malicious actor can mint an NFT with the remote image hosted on his server, then airdrop this collectible to a blockchain address (victim) and obtain his IP address." His concern is that if an attacker gathers a collection of NFTs, points all of them to a single URL and airdrops them to millions of wallets, then it could result in a large scale distributed denial-of-service, or DDoS attack. Having personal data leaked can also lead to kidpnapping, according to Lupascu. 

He also suggested a potential solution could be requiring explicit user consent when it comes to fetching the remote image of the NFT: Metamask or any other wallet would prompt the user that someone on OpenSea or another exchange is fetching the remote image of the NFT, and informing the user that his or her IP address may be exposed.

Dan Finlay, CEO of Metamask, responded to Lupascu on Twitter stating that even though "the issue has been known for a long time" they are now starting work to fix it and improve user safety and privacy.

That same day, even Vitalik Buterin recognized the challenges of off-chain privacy within Web3. On a recent UpOnly podcast episode, Buterin said that "the fight for more privacy is an important one. People are underestimating the risks of no privacy," adding that the "more crypto-y everything becomes," the more exposed we are.

Tags
Blockchain
Nft
Marketplace
Mobile Wallet
Privacy
Ip Addresses
Related Posts
Christie’s auctions its first purely digital artwork in form of blockchain token
British auction house Christie’s has announced the auction of its first ever “purely digital work of art." Announcing the news Tuesday, Christie’s said that the nonfungible token artwork will be issued in partnership with major NFT marketplace MakersPlace. Dubbed “Everydays: The First 5000 Days,” the piece was created by Mike Winkelmann, who goes by the name "Beeple." According to the official page of the NFT auction, the starting price for the work, which interested parties can bid on from Feb. 25 until March 11, is just $100. “Minted exclusively for Christie’s in February 2021, this monumental digital collage marks the …
Artists / Feb. 16, 2021
Rarible integrates with Tezos blockchain and launches own NFT collection
NFT marketplace Rarible officially launched its integration with proof-of-stake blockchain Tezos pm Thursday. This collaboration will allow Rarible to feature Tezos NFTs on its marketplace and support secondary sales of live Tezos projects while enabling users to mint low-fee NFTs. Rarible’s integration with Tezos marks the third layer 1 blockchain supported by the platform, alongside Ethereum and Flow, Dapper Labs’ blockchain network that powers NBA Top Shot. In Rarible’s effort to build a multi-chain platform to consolidate the NFT space, integrations with Solana and Polygon are next, according to Rarible CEO Alexei Falin, who told Cointelegraph: “Rarible firmly believes that …
Blockchain / Dec. 15, 2021
OpenSea disables features temporarily as contract migration completes
The week-long period that OpenSea gave users to migrate their nonfungible token (NFT) listings ends today. Following the deadline, the platform announced that some features on the site may not be available temporarily due to the migration. On Feb. 19, OpenSea pushed a new smart contract and urged users to start the migration of their NFT listings from the old contract to the new one. The NFT marketplace mentions that the upgrade brings new features such as bulk listings and more descriptive signatures while ensuring that all inactive listings expire. However, hours after the announcement, the platform reported phishing attacks …
Blockchain / Feb. 25, 2022
ENS domains surpass BAYC’s trading volume: Nifty Newsletter, Aug 31–Sept 6
In this week’s nonfungible token (NFT) newsletter, read about OpenSea and its commitment to the Ethereum Merge. Check out a project that aims to introduce Web3 to the opera scene and how ENS domains surpassed Bored Apes in terms of trading volume. In other news, learn about how the NFT giveaway of Rug Pull Finder was exploited. And, don’t forget about this week’s Nifty News roundup featuring how American actor Bill Murray’s wallet was attacked after his NFT drop. OpenSea says marketplace won’t support forked NFTs post-Merge NFT platform OpenSea has announced that it will not be supporting NFTs on …
Blockchain / Sept. 7, 2022
How to create NFTs on the Cardano blockchain
Cardano is a proof-of-stake (PoS) platform launched in September 2017 by Ethereum co-founder Charles Hoskinson. In September 2021, Cardano added support for smart contracts, which paved the way for developing decentralized finance (DeFi) and nonfungible token (NFT) applications. NFTs landed on Cardano’s blockchain in 2022, with Cardano’s native cryptocurrency ADA (ADA) utilized to buy and sell them. The deployment of smart contracts on Cardano allowed the creation of NFT marketplaces, including CNFT.IO and Jpg.store. These marketplaces facilitate NFT projects on Cardano in a cost-effective and scalable way, attracting many enthusiasts seeking a user-friendly platform for creators and traders with low-cost …
Blockchain / Feb. 22, 2023