NFTs are usually passive affairs. A consumer buys the token, and then sells or stores the NFT. The NFT doesn’t really do anything.
Some new NFTs are being used to harvest viewers’ IP addresses, though, in a demonstration of how NFT marketplaces like OpenSea allow vendors, or attackers, to load custom code when someone simply views an NFT listing.
“We've been researching a lot of problems in the NFT space (with more of a focus on fraud) and one of the things we were playing around with was different XSS attacks on websites that display NFTs which is when I realized we could get OpenSea to load HTML pages,” Nick Bax, head of research at NFT organization Convex Labs, told Motherboard in an online chat. XSS refers to cross site scripting attacks, one of several different kinds of attack that someone could use an NFT for.
Bax and a team of engineers and contributors are working on multiple NFTs that harvest peoples’ IP addresses. One, which includes a Simpsons and South Park crossover image, surreptitiously collects the viewer’s IP address and stores it in a panel for Bax to view later.
“I just right click + saved your IP address,” the description for the NFT on OpenSea reads.
Do you know about any other data gathering NFTs? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
Another NFT displays the viewer’s IP address back at them in the NFT itself while viewing it on OpenSea. Motherboard verified this by loading the item’s OpenSea listing; it correctly displayed the IP address of a VPN server used by Motherboard.
“Total visitors logged: 85,” the NFT read at the time of writing.
Of course, websites often collect and store visitors’ IP addresses in virtue of how the sites function. OpenSea itself likely collects the IP addresses of visitors, like plenty of other sites, apps, or services. But here, an outside third party—the NFT seller—is able to gather information themselves on the people viewing the NFT, potentially without them knowing.
Armed with an IP address, an attacker can first work out a viewer’s coarse location, usually at least down to what city they are connecting from. Attackers can then also use that information to try and dig up other details, such as potentially their real name or physical address if that data has been stored elsewhere or included in a previous breach from another site.
The issue is that OpenSea lets NFT sellers add an “animation_url” to the NFT’s metadata, Bax explained in a tweet. That animation_url supports HTML files, he added. The HTML file in this data-grabbing NFT includes a commonly-used IP harvesting bit of code from a site called IPlogger.org, he added.
Last week, Alex Lupascu, co-founder of privacy and blockchain company Omnia, described how his team discovered that popular cryptocurrency wallet MetaMask had an issue where an attacker could mint an NFT and then send it to a victim to obtain their IP address. In that demonstration, the token directed the user’s wallet to a server that grabbed the image to display in their wallet,. Because NFTs usually only contain a URL pointing to a server that holds the actual image, rather than the image itself, Lupascu devised a setup where an attacker controls this server and harvests the user's IP address when the wallet fetched the image. According to Lupascu, this could in theory be used to launch a distributed denial of service attack that overloads a specific URL with traffic.
MetaMask founder Daniel Finlay later said they were starting work to fix the issue raised by Lupascu.
For OpenSea and these new NFTs, Bax said in a tweet that he doesn’t consider OpenSea allowing this sort of activity to be a vulnerability in OpenSea himself, so he didn’t contact the company to disclose the issue OpenSea did not respond to Motherboard’s request for comment.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.