NFTs may reveal users’ IP addresses

Several researchers have reported that while users collect NFTs, NFTs in turn collect and can reveal users’ IP addresses.

The non-fungible token (NFT) marketplace OpenSea and the Metamask cryptocurrency wallet have documented several leaks of IP addresses associated with transferred NFTs. This was reported by specialists from the Convex Labs organization and the developers of the OMNIA protocol.

Nick Bax, head of research at Convex Labs, looked into how NFT marketplaces like OpenSea allow third parties (service providers, hackers, etc.) to collect IP addresses. To do this, he created an NFT image, which he called “I just right-clicked and saved your IP address”, in order to prove that when viewing an NFT for sale, a custom code is downloaded that copies the IP address of the one who views it, and send to the supplier.

It is important to remember that NFTs are program codes or digital data that can be added and extracted. Very often, the image or asset itself is stored on a remote server, and only its URL is present in the chain. When transferring NFTs to a blockchain address, the recipient’s cryptocurrency wallet retrieves the deleted image at its associated URL.

Bax said that OpenSea allows NFT creators to different file extensions for HTML pages. If the metadata is stored as a json file in a decentralized storage network such as IPFS or a remote decentralized cloud server, OpenSea can upload the image along with the invisible pixel logger and host it on its own server. So, when a potential buyer views NFT on OpenSea, an HTML page is loaded and an invisible pixel is retrieved, revealing the user’s IP address and other data such as location, browser version, and operating system.

OMNIA Protocol co-founder Alex Lupascu, an analyst, conducted his own investigation, but in relation to the Metamask mobile app, and came to the same conclusions as Bax.

He discovered a liability that allows the provider to send NFT to the Metamask wallet and get the user’s IP address. He created his own NFT on OpenSea and airdropped ownership of the NFT to his Metamask wallet and concluded that he had discovered a “critical privacy vulnerability”.

His concern is that if an attacker collects a collection of NFTs, directs them all to one URL, and distributes them to millions of wallets, it could lead to a large-scale DDoS attack. According to Lupascu, the leakage of personal data can also lead to kidnapping.

You might also be interested to know that iOS 14.5 will hide users’ IP from Google, and that Researchers found that it is possible to monitor browser users even with JavaScript disabled.