NFTs may reveal users’ IP addresses

Several researchers have reported that while users collect NFTs, NFTs in turn collect and can reveal users’ IP addresses.

The non-fungible token (NFT) marketplace OpenSea and the Metamask cryptocurrency wallet have documented several leaks of IP addresses associated with transferred NFTs. This was reported by specialists from the Convex Labs organization and the developers of the OMNIA protocol.

Nick Bax, head of research at Convex Labs, looked into how NFT marketplaces like OpenSea allow third parties (service providers, hackers, etc.) to collect IP addresses. To do this, he created an NFT image, which he called “I just right-clicked and saved your IP address”, in order to prove that when viewing an NFT for sale, a custom code is downloaded that copies the IP address of the one who views it, and send to the supplier.

I don’t consider IP fixing in OpenSea to be a vulnerability because ‘that’s how it works.Nick Bax said.

It is important to remember that NFTs are program codes or digital data that can be added and extracted. Very often, the image or asset itself is stored on a remote server, and only its URL is present in the chain. When transferring NFTs to a blockchain address, the recipient’s cryptocurrency wallet retrieves the deleted image at its associated URL.

Bax said that OpenSea allows NFT creators to different file extensions for HTML pages. If the metadata is stored as a json file in a decentralized storage network such as IPFS or a remote decentralized cloud server, OpenSea can upload the image along with the invisible pixel logger and host it on its own server. So, when a potential buyer views NFT on OpenSea, an HTML page is loaded and an invisible pixel is retrieved, revealing the user’s IP address and other data such as location, browser version, and operating system.

Alex Lupascu
Alex Lupascu

OMNIA Protocol co-founder Alex Lupascu, an analyst, conducted his own investigation, but in relation to the Metamask mobile app, and came to the same conclusions as Bax.

He discovered a liability that allows the provider to send NFT to the Metamask wallet and get the user’s IP address. He created his own NFT on OpenSea and airdropped ownership of the NFT to his Metamask wallet and concluded that he had discovered a “critical privacy vulnerability”.

An attacker can create an NFT with a remote image on his server, and then add it to the blockchain with an airdrop and get an IP address.Alex Lupascu said.

His concern is that if an attacker collects a collection of NFTs, directs them all to one URL, and distributes them to millions of wallets, it could lead to a large-scale DDoS attack. According to Lupascu, the leakage of personal data can also lead to kidnapping.

Metamask CEO Dan Finlay responded to Lupask on Twitter that “the issue has been known for a long time” but they are only now starting work on fixing it and improving user security and privacy.

You might also be interested to know that iOS 14.5 will hide users’ IP from Google, and that Researchers found that it is possible to monitor browser users even with JavaScript disabled.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button