[ad_1]
According to researchers at Convex Labs and OMNIA Protocol, both OpenSea and Metamask have documented cases of IP address leaks associated with transmitting NFTs.
Nick Bax, research director at NFT group Convex Labs, tested how NFT marketplaces such as OpenSea could allow vendors or attackers to obtain IP addresses. He created a list for crossover images of The Simpsons and South Park, titled “I just right click + save your IP address” to prove that when viewing the NFT list, it loads the record viewer IP address and share with others custom code vendors.
This NFT records your IP address:https://t.co/hB34JuJLH9
-bax.eth (@bax1337) January 24, 2022
In a Twitter post, Bax admitted that he “doesn’t think my OpenSea IP record NFT is a bug” because that’s just “how it works.” It’s important to remember that at the core of an NFT is a piece of software code or digital data that can be pushed or pulled. It’s common for the actual image or asset to be stored on a remote server, while only the asset’s URL is on-chain. When the NFT is transferred to the blockchain address, the receiving crypto wallet fetches the remote image from the URL associated with the NFT.
further bacchus explain Technical details in Convex Labs Medium post that OpenSea allows NFT creators to add Additional metadata Enable file extensions for HTML pages. If the metadata is stored in the form of json files on a distributed storage network such as IPFS or on a remote centralized cloud server, OpenSea can download the image along with the “invisible image” pixel recorder and host it on its own server. So when a potential buyer views an NFT on OpenSea, it loads an HTML page and grabs invisible pixels that display the user’s IP address and other data such as geographic location, browser version, and operating system.
Analyst Alex Lupascu, co-founder of privacy node service OMNIA Protocol, conducted his own research on the Metamask mobile app with similar effects. He uncovered a liability that allowed vendors to send NFTs to Metamask wallets and obtain users’ IP addresses. He minted his own NFTs on OpenSea and transferred ownership of the NFTs to his Metamask wallet via an airdrop, eventually discovering a “serious privacy hole.”
My team and I discovered an important privacy #vulnerability in the most popular #cryptocurrency #wallet.
Are you using MetaMask?
Well, I have bad news for you – yours #privacy risky!@samczsun @gakonst @VitalikButerin @cz_binance @phildaian https://t.co/ar30UMzR1G– Alex Lupascu (@alxlpsc) January 20, 2022
Related: MetaMask’s new built-in multi-chain institutional custody feature
In a Medium post, Lupascu described how “a malicious actor could mint an NFT using a remote image hosted on his server, then airdrop this collectible to a blockchain address (the victim) and obtain his IP address” potential consequences. His concern is that if an attacker collects a collection of NFTs, points them all to a single URL and airdrops them to millions of wallets, it could lead to a massive distributed denial of service or DDoS attack. Personal data breaches could also lead to kidnappings, Lupascu said.
He also suggested that a potential solution might be to require explicit consent of the user when acquiring the remote image of the NFT: Metamask or any other wallet would alert the user that someone on OpenSea or another exchange is acquiring the remote image of the NFT, and notify the user His or her IP address may be leaked.
Dan Finlay, CEO of Metamask, respond Speaking to Lupascu on Twitter, although “this issue has been known for a long time,” they are now working on fixing it and improving user security and privacy.
On the same day, even Vitalik Buterin was aware of the challenges of off-chain privacy in Web3. On a recent UpOnly podcast episode, Buterin said “the fight for more privacy is an important fight. People underestimate the risks of not having privacy”, adding that “the more encrypted everything becomes,” the more exposed we are.
[ad_2]
Source link
