According to researchers from Convex Labs and OMNIA Protocol, OpenSea and Metamask have documented cases of IP address leaks related to the transmission of non-fungible tokens (NFT).
Nick Bax, head of research at the NFT subsidiary Convex Labs, tested how NFT marketplaces such as OpenSea allow resellers or attackers to collect IP addresses. He created a list to cross The Simpsons and South Park, giving him the right “I right-clicked + saved your IP” to prove that when you view the NFT list, a custom code is loaded that records the viewer’s IP address and share it. with the seller.
In a Twitter thread, Bucks admitted that he “does not consider NFT to register my IP with OpenSea as a vulnerability” because it is only “the way it works.” It is important to remember that an NFT is essentially a piece of software code or digital data that can be transferred or retrieved. Very often, the image or physical source is stored on a remote server while the source URL is the only one associated with the string. When an NFT is transferred to a blockchain address, the receiving crypto wallet retrieves the external image from the URL associated with the NFT.
Bax also explained the technical details in a Convex Labs Medium post that OpenSea allows NFT creators to add additional metadata that allows file extensions to be used for HTML pages. If the metadata is stored as a json file on a decentralized storage network such as IPFS or on remote central cloud servers, OpenSea can download the image in addition to the “invisible image” pixel recorder and host it on its own server. When a potential buyer displays an NFT on OpenSea, it loads an HTML page and retrieves an invisible pixel that reveals the user’s IP address and other data such as geolocation, browser service and operating system.
Analyst Alex Lupascu, co-founder of the Privacy Node Service OMNIA Protocol, did his own research using the Metamask mobile app with similar effects. Discover responsibilities that allow a salesperson to send NFT to a Metamask wallet and get the user’s IP address. He published his NFT on OpenSea and sent the ownership of NFT to his Metamask wallet, concluding that it was a “serious privacy vulnerability”.
Related topics: A new multi-chain institutional storage feature has been added to MetaMask.
In a post on Medium, Lupascu described the potential implications of how “an attacker could create an NFT with an external image on his server and then upload the collection object to the (victim’s) blockchain address and obtain the IP address.” His concern is that if an attacker gathers a bunch of NFTs, directs them all to one URL and distributes them to millions of wallets, this could lead to a massively distributed denial of service or DDoS attack. According to Lubasco, leakage of personal information can also lead to fraud.
It has also been suggested that a potential solution may require the user’s explicit consent to obtain the external NFT image: Metamask or another wallet will ask the user for someone on OpenSea or another exchange to obtain the external NFT image, and inform the user about the possibility of revealing their own IP address.
Dan Finlay, CEO of Metamask, responded to Lupask on Twitter, saying that although “the problem has been known for a long time”, they are now beginning work to fix it and improve users’ privacy and security.
On the same day, Vitalik Buterin also acknowledged offline privacy issues in Web3. In a recent episode of the UpOnly podcast, Buterin said that “the fight for more privacy is important. People underestimate the dangers of lack of privacy, “adding that” the more encrypted everything becomes, the more we are at risk. “