Another top NFT marketplace may have a serious security flaw

A computer being guarded by cybersecurity.
(Image credit: iStock)

UPDATE: Rarible has shared an official response with TechRadar Pro:

"Having thoroughly analyzed the report provided by Check Point, our team has come to the conclusion that the identified vulnerability does not directly affect Rarible.com users, their wallets and their data.

The vulnerability could potentially affect users only in case they deliberately leave Rarible.com for a third-party resource with malicious content, and consciously sign suggested transactions with their wallets. Simply clicking the link is not enough and user interaction and confirmation for transactions is required.  

Despite the fact that Rarible.com users and their funds are not directly affected by the vulnerability, our team is working on enhancing user security even on third-party resources. Rarible has been working closely with multiple cyber security teams including ChainSecurity to proactively ensure a safe experience for the NFT community.

We encourage users to stay vigilant, and pay attention to the websites they visit and transactions they sign to stay safe."

ORIGINAL STORY: A potentially major security flaw has been discovered on Rarible, a popular marketplace for non-fungible tokens (NFT), which could lead to users losing not just their NFTs, but also the cryptocurrencies right from their wallets.

A report from Check Point Research (CPR) identified a vulnerability that would allow a potential attacker to steal someone’s digital belongings in a single transaction. The worst part is that everything would happen on the marketplace itself, a place people would generally feel less suspicious.

According to CPRs report, the methodology is simple, and includes creating a “malicious NFT”. Should someone stumble upon it, and click on it, the malicious NFT would execute JavaScript code in an attempt to send a setApprovalForAll request to the victim.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Malicious NFTs

In case the victim submits the requests, they’d grant the malicious NFT full access to their endpoint

“In October last year, we discovered critical security flaws in OpenSea, the world's largest NFT marketplace. Now, we've identified similar vulnerabilities in Rarible,” commented Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software. 

“In terms of security, there is still a huge gap between Web2 and Web3 infrastructure. Any small vulnerability opens a backdoor for cybercriminals to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols are lacking a sound security practice. The implications following a crypto hack can be extreme. We've seen millions of dollars hijacked from users of marketplaces that combine blockchain technologies.” 

Last year, Rarible has had more than $273 million in trading volume, making it one of the largest NFT marketplaces on the planet. 

The company notified the marketplace of its discovery, and said it “believes Rarible will have deployed a fix by the time of this publication”. We have reached out to Rarible to see if that indeed is the case, and will update the article accordingly. 

However, given that it’s Easter weekend, it could be a few days before we hear back from Rarible.

“Users currently need to manage two types of wallets: one for most of their crypto and another just for specific transactions,” Vanunu continued. 

“Should the wallet for specific transactions become compromised, users can still be in a position where they don’t lose everything." 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
WordPress
Another top WordPress plugin found carrying critical security flaws
Illustration of a thief escaping with a white fingerprint
5 massive privacy scandals that rocked the world – and made millions of victims
Password
Millions of airline customers possibly affected by OAuth security flaw
Google Pixel Scam Detection warning
Common internet scams and how to avoid them
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Latest in Security
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
Latest in News
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try
Two Android phones on a green and blue background showing Google Messages
Struggling with slow Google Messages photo transfers? Google says new update will make 'noticeable difference'
Google Meet create custom backgrounds
More AI features are coming to Google Workspace
Elayne, Egwene, and Nynaeve dressed regally and on horseback in The Wheel of Time season 3
'There's a reason why we do it': The Wheel of Time showrunner responds to fans who are still upset over the Prime Video show's plot alterations
A mockup of the possible Apple M3 Ultra logo
Performance isn't the only reason you should buy Apple's M3 Ultra Mac Studio - it's reportedly one of the most power-efficient processors too