Rarible NFT Marketplace Flaw Could’ve Let Attackers Hijack Crypto Wallets

Cybersecurity researchers have disclosed a now-fixed security flaw in the Rarible non-fungible token (NFT) marketplace that, if successfully exploited, could have led to account takeover and theft of cryptocurrency assets.

“By luring victims to click on a malicious NFT, an attacker can take full control of the victim’s crypto wallet to steal funds,” Check Point researchers Roman Zaikin, Dikla Barda, and Oded Vanunu said in a report shared with The Hacker News.

Rarible, an NFT marketplace that enables users to create, buy, and sell digital NFT art like photographs, games, and memes, has over 2.1 million active users.
“There is still a huge gap between, in terms of security, between Web2 and Web3 infrastructure,” Vanunu, head of products vulnerabilities research at Check Point, said in a statement shared with The Hacker News.

“Any small vulnerability can possibly allow cybercriminals to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols are lacking from a security perspective. The implications following a crypto hack can be extreme.”

The attack modus operandi hinges on a malicious actor sending a link to a rogue NFT (e.g., an image) to potential victims that, when opened in a new tab, executes arbitrary JavaScript code, potentially allowing the attacker to gain complete control over their NFTs by sending a setApprovalForAll request to the wallet.

The setApprovalForAll API allows a marketplace (in this case, Rarible) to transfer sold items from the seller’s address to the buyer’s address based on the implemented smart contract.

“This function is very dangerous by design because this may allow anyone to control your NFTs if you get tricked into signing it,” the researchers pointed out.

“It’s not always clear to users exactly what permissions they are giving by signing a transaction. Most of the time, the victim assumes these are regular transactions when in fact, they were given control over their own NFTs.” Read more:https://bit.ly/3xv92fZ

Leave a Reply

Your email address will not be published. Required fields are marked *