www.vice.com
Open in
urlscan Pro
151.101.65.132
Public Scan
URL:
https://www.vice.com/en/article/xgdvaz/nft-steal-ip-address-opensea
Submission: On January 28 via api from US — Scanned from DE
Submission: On January 28 via api from US — Scanned from DE
Form analysis
2 forms found in the DOM<form><label class="sr-only" for="search-bar__input">Input for searching articles, videos, shows</label><input type="text" id="search-bar__input" role="searchbox" value="" placeholder="Search articles, videos, shows" required=""><button type="submit"
role="button" aria-label="Search" class="nav-bar__search-bar__button"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
<path fill-rule="evenodd" clip-rule="evenodd"
d="M6.55892 10.7328C8.86408 10.7328 10.7328 8.86408 10.7328 6.55892C10.7328 4.25376 8.86408 2.38506 6.55892 2.38506C4.25376 2.38506 2.38506 4.25376 2.38506 6.55892C2.38506 8.86408 4.25376 10.7328 6.55892 10.7328ZM6.55892 13.1178C10.1813 13.1178 13.1178 10.1813 13.1178 6.55892C13.1178 2.93653 10.1813 0 6.55892 0C2.93653 0 0 2.93653 0 6.55892C0 10.1813 2.93653 13.1178 6.55892 13.1178Z"
fill="white"></path>
<path fill-rule="evenodd" clip-rule="evenodd" d="M14.5219 15.9015C14.3906 16.0328 14.1777 16.0328 14.0464 15.9015L9.18249 11.0376L11.0376 9.18249L15.9015 14.0464C16.0328 14.1777 16.0328 14.3906 15.9015 14.5219L14.5219 15.9015Z" fill="white">
</path>
</svg></button></form>
<form class="user-newsletter__form" novalidate="">
<div class="user-newsletter__form__wrap"><input type="email" name="email" id="email" aria-label="newsletter email input" class="user-newsletter__form__input" value="" placeholder="Your email address"><label class="user-newsletter__form__label"
for="email">Your Email:</label> </div><button aria-label="newsletter submit button" type="submit" class="vice-button vice-button--black user-newsletter__submit">Subscribe</button>
</form>
Text Content
Advertisement Sign InCreate Account + English VICE * Video * TV * News * Tech * Rec Room * Food * World News * The 8:46 Project * Games * Music * Health * Money * Drugs * Identity * Entertainment * Environment * Travel * Horoscopes * Sex * VICE Magazine * The Gender Spectrum Collection VICE * * * Sign InCreate Account * Video * TV * Podcasts * Apps * VICE Voices * Newsletters * Rec Room Input for searching articles, videos, shows * * * * * * * * News * Tech * Rec Room * Food * World News * The 8:46 Project * Games * Music * Health * Money * Drugs * Identity * Entertainment * Environment * Travel * Horoscopes * Sex * VICE Magazine * The Gender Spectrum Collection * About * Jobs * Partner * VICE Voices * Content Funding on VICE * Security Policy * Privacy & Terms * Accessibility Statement * © 2022 VICE MEDIA GROUP THIS NFT ON OPENSEA WILL STEAL YOUR IP ADDRESS The NFT shows how viewers of NFTs on marketplaces like OpenSea may unexpectedly expose their data. by Joseph Cox January 27, 2022, 2:00pm * Share * Tweet * Snap Image: Nick Bax NFTs are usually passive affairs. A consumer buys the token, and then sells or stores the NFT. The NFT doesn’t really do anything. Some new NFTs are being used to harvest viewers’ IP addresses, though, in a demonstration of how NFT marketplaces like OpenSea allow vendors, or attackers, to load custom code when someone simply views an NFT listing. “We've been researching a lot of problems in the NFT space (with more of a focus on fraud) and one of the things we were playing around with was different XSS attacks on websites that display NFTs which is when I realized we could get OpenSea to load HTML pages,” Nick Bax, head of research at NFT organization Convex Labs, told Motherboard in an online chat. XSS refers to cross site scripting attacks, one of several different kinds of attack that someone could use an NFT for. Advertisement Bax and a team of engineers and contributors are working on multiple NFTs that harvest peoples’ IP addresses. One, which includes a Simpsons and South Park crossover image, surreptitiously collects the viewer’s IP address and stores it in a panel for Bax to view later. “I just right click + saved your IP address,” the description for the NFT on OpenSea reads. > Do you know about any other data gathering NFTs? We'd love to hear from you. > Using a non-work phone or computer, you can contact Joseph Cox securely on > Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com. Another NFT displays the viewer’s IP address back at them in the NFT itself while viewing it on OpenSea. Motherboard verified this by loading the item’s OpenSea listing; it correctly displayed the IP address of a VPN server used by Motherboard. “Total visitors logged: 85,” the NFT read at the time of writing. Of course, websites often collect and store visitors’ IP addresses in virtue of how the sites function. OpenSea itself likely collects the IP addresses of visitors, like plenty of other sites, apps, or services. But here, an outside third party—the NFT seller—is able to gather information themselves on the people viewing the NFT, potentially without them knowing. Armed with an IP address, an attacker can first work out a viewer’s coarse location, usually at least down to what city they are connecting from. Attackers can then also use that information to try and dig up other details, such as potentially their real name or physical address if that data has been stored elsewhere or included in a previous breach from another site. Advertisement The issue is that OpenSea lets NFT sellers add an “animation_url” to the NFT’s metadata, Bax explained in a tweet. That animation_url supports HTML files, he added. The HTML file in this data-grabbing NFT includes a commonly-used IP harvesting bit of code from a site called IPlogger.org, he added. Last week, Alex Lupascu, co-founder of privacy and blockchain company Omnia, described how his team discovered that popular cryptocurrency wallet MetaMask had an issue where an attacker could mint an NFT and then send it to a victim to obtain their IP address. In that demonstration, the token directed the user’s wallet to a server that grabbed the image to display in their wallet,. Because NFTs usually only contain a URL pointing to a server that holds the actual image, rather than the image itself, Lupascu devised a setup where an attacker controls this server and harvests the user's IP address when the wallet fetched the image. According to Lupascu, this could in theory be used to launch a distributed denial of service attack that overloads a specific URL with traffic. MetaMask founder Daniel Finlay later said they were starting work to fix the issue raised by Lupascu. For OpenSea and these new NFTs, Bax said in a tweet that he doesn’t consider OpenSea allowing this sort of activity to be a vulnerability in OpenSea himself, so he didn’t contact the company to disclose the issue OpenSea did not respond to Motherboard’s request for comment. Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel. Tagged:SURVEILLANCEprivacyData Leakworld privacyopensea ORIGINAL REPORTING ON EVERYTHING THAT MATTERS IN YOUR INBOX. Your Email: Subscribe By signing up, you agree to the Terms of Use and Privacy Policy & to receive electronic communications from Vice Media Group, which may include marketing promotions, advertisements and sponsored content. MORE LIKE THIS * Tech SCAMMERS EXPLOIT OPENSEA FLAW TO BUY NFTS AT ROCK-BOTTOM PRICES "I just lost an ape guys…. I’m crying…. How did this just happen????" tweeted a user whose NFT was bought for just $1,750 and resold for $190,000. Joseph Cox 01.24.22 * Tech LAWMAKERS PLAN LEGISLATION TO ‘BAN SURVEILLANCE ADVERTISING’ The Banning Surveillance Advertising Act, introduced by Reps. Anna G. Eshoo of California and Jan Schakowsky of Illinois, and Sen. Cory Booker of New Jersey, aims to do exactly that. Joseph Cox 01.18.22 * Tech A POOP EMOJI NFT SHOWS THAT ‘WEB3’ IS ACTUALLY PRETTY CENTRALIZED The NFT made by the founder of Signal is an “amusing” experiment that illustrates how the supposedly decentralized web3 still relies on centralized platforms. Lorenzo Franceschi-Bicchierai 01.10.22 * Tech TOP GOOGLE RESULT FOR NFT MARKETPLACE OPENSEA WAS A PHISHING SITE Motherboard found that the top result was a Google Ad that redirected users to a site that tried to steal their digital wallet. Joseph Cox 11.11.21 * Tech SIMPS ARE ORGANIZING TO WORSHIP WOMEN WITH THEIR CRYPTO Fans of influencers—including Belle Delphine, Dua Lipa, Pokimane, Amouranth, and Irene Zhao—are organizing "simp DAOs," with or without permission. Samantha Cole 01.20.22 Advertisement YOUMAY LIKE We Will Guess Your Education Level in 20 Questions Advertisement: TooCool2BeTrue European Cities With the Highest Quality of Life Advertisement: Far & Wide Celeb Couples with Major Age Differences Advertisement: FamilyMinded 22 Worst Movies Ever, According to Rotten Tomatoes Advertisement: POPSUGAR [Bilder] Polizist hält Mann an, der aussieht wie sein verstorbener Sohn. Nach einem Blick bittet er ihn auszusteigen Advertisement: DailySportX Every Country in Europe, Ranked by Americans Advertisement: Thrillist [Bilder] Optische Fehlschläge- Diese Autos sind sicher nichts fürs Auge Advertisement: Housecoast [Bilder] 40 am Strand aufgenommene Bilder, die zum Sterben schön sind Advertisement: Trendscatchers ABOUT THIS CONTENT MORE FROM VICE * Tech MAJOR NFT MARKETPLACE OPENSEA ADMITS EMPLOYEE DID INSIDER TRADING An OpenSea employee bought NFTs before they were promoted on the marketplace's homepage, which angered traders have compared to insider trading. Jordan Pearson 09.15.21 * Tech ‘ALL MY APES GONE’: NFT THEFT VICTIMS BEG FOR CENTRALIZED SAVIORS The NFT art heists, digital wallet hacks, and token scams will continue until morale improves. Edward Ongweso Jr 01.06.22 * Tech WHY PS5 RESTOCK ACCOUNTS ARE NOW TWEETING COVID TESTS Motherboard spoke to multiple administrators of restock Twitter accounts who have started including rapid COVID tests in their feeds. Joseph Cox 01.13.22 * Tech PEOPLE BUILDING ‘BLOCKCHAIN CITY’ IN WYOMING SCAMMED BY HACKERS The attack was the latest done over Discord and is a growing concern for the vast majority of DAOs and NFT communities that live there. Edward Ongweso Jr 01.13.22 * Tech PEOPLE CAN’T SEE SOME NFTS ON TWITTER, CRYPTO WALLETS AFTER OPENSEA GOES DOWN A Thursday outage interfered with the ability of MetaMask, which depends on OpenSea, to automatically display new NFTs. Lorenzo Franceschi-Bicchierai 01.20.22 * Tech SOMEONE SCRAPED MASSIVE BANK OF PERSONAL DATA USED BY PRIVATE INVESTIGATORS The scrape shows that databases such as TransUnion’s TLO can leak out beyond the initial creator’s control. Joseph Cox 01.13.22 Advertisement * About * Jobs * Partner * VICE Voices * Content Funding on VICE * Security Policy * Privacy & Terms * Accessibility Statement * © 2022 VICE MEDIA GROUP