Another top NFT marketplace may have a serious security flaw
A malicious NFT could wipe your wallet, experts warn
UPDATE: Rarible has shared an official response with TechRadar Pro:
"Having thoroughly analyzed the report provided by Check Point, our team has come to the conclusion that the identified vulnerability does not directly affect Rarible.com users, their wallets and their data.
The vulnerability could potentially affect users only in case they deliberately leave Rarible.com for a third-party resource with malicious content, and consciously sign suggested transactions with their wallets. Simply clicking the link is not enough and user interaction and confirmation for transactions is required.
Despite the fact that Rarible.com users and their funds are not directly affected by the vulnerability, our team is working on enhancing user security even on third-party resources. Rarible has been working closely with multiple cyber security teams including ChainSecurity to proactively ensure a safe experience for the NFT community.
We encourage users to stay vigilant, and pay attention to the websites they visit and transactions they sign to stay safe."
ORIGINAL STORY: A potentially major security flaw has been discovered on Rarible, a popular marketplace for non-fungible tokens (NFT), which could lead to users losing not just their NFTs, but also the cryptocurrencies right from their wallets.
A report from Check Point Research (CPR) identified a vulnerability that would allow a potential attacker to steal someone’s digital belongings in a single transaction. The worst part is that everything would happen on the marketplace itself, a place people would generally feel less suspicious.
According to CPRs report, the methodology is simple, and includes creating a “malicious NFT”. Should someone stumble upon it, and click on it, the malicious NFT would execute JavaScript code in an attempt to send a setApprovalForAll request to the victim.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Malicious NFTs
In case the victim submits the requests, they’d grant the malicious NFT full access to their endpoint.
“In October last year, we discovered critical security flaws in OpenSea, the world's largest NFT marketplace. Now, we've identified similar vulnerabilities in Rarible,” commented Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“In terms of security, there is still a huge gap between Web2 and Web3 infrastructure. Any small vulnerability opens a backdoor for cybercriminals to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols are lacking a sound security practice. The implications following a crypto hack can be extreme. We've seen millions of dollars hijacked from users of marketplaces that combine blockchain technologies.”
Last year, Rarible has had more than $273 million in trading volume, making it one of the largest NFT marketplaces on the planet.
The company notified the marketplace of its discovery, and said it “believes Rarible will have deployed a fix by the time of this publication”. We have reached out to Rarible to see if that indeed is the case, and will update the article accordingly.
However, given that it’s Easter weekend, it could be a few days before we hear back from Rarible.
“Users currently need to manage two types of wallets: one for most of their crypto and another just for specific transactions,” Vanunu continued.
“Should the wallet for specific transactions become compromised, users can still be in a position where they don’t lose everything."
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.