Cybersecurity researchers have disclosed a now-fixed security flaw in the Rarible non-fungible token (NFT) marketplace that, if successfully exploited, could have led to account takeover and theft of cryptocurrency assets.
"By luring victims to click on a malicious NFT, an attacker can take full control of the victim's crypto wallet to steal funds," Check Point researchers Roman Zaikin, Dikla Barda, and Oded Vanunu said in a report shared with The Hacker News.
Rarible, an NFT marketplace that enables users to create, buy, and sell digital NFT art like photographs, games, and memes, has over 2.1 million active users.
"There is still a huge gap between, in terms of security, between Web2 and Web3 infrastructure," Vanunu, head of products vulnerabilities research at Check Point, said in a statement shared with The Hacker News.
"Any small vulnerability can possibly allow cyber criminals to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols are lacking from a security perspective. The implications following a crypto hack can be extreme."
The attack modus operandi hinges on a malicious actor sending a link to a rogue NFT (e.g., an image) to potential victims that, when opened in a new tab, executes arbitrary JavaScript code, potentially allowing the attacker to gain complete control over their NFTs by sending a setApprovalForAll request to the wallet.
The setApprovalForAll API allows a marketplace (in this case, Rarible) to transfer sold items from the seller's address to the buyer's address based on the implemented smart contract.
"This function is very dangerous by design because this may allow anyone to control your NFTs if you get tricked into signing it," the researchers pointed out.
"It's not always clear to users exactly what permissions they are giving by signing a transaction. Most of the time, the victim assumes these are regular transactions when in fact, they were giving control over their own NFTs."
In granting the request, the fraudulent scheme effectively permits the adversary to transfer all the NFTs from the victim's account, which can then be sold by the attacker on the marketplace for a higher price.
"The vulnerability could potentially affect users only in case they deliberately leave Rarible.com for a third-party resource with malicious content, and consciously sign suggested transactions with their wallets," Rarible said in a statement shared with The Hacker News.
"Simply clicking the link is not enough and user interaction and confirmation for transactions is required. We encourage users to stay vigilant, and pay attention to the websites they visit and transactions they sign to stay safe."
As safeguards, it's recommended that users carefully scrutinize transaction requests prior to providing any kind of authorization. Previous token approvals can be reviewed and revoked by visiting Etherscan's Token Approval Checker tool.
"NFT users should be aware that there are various wallet requests – some of them are used just to connect the wallet, but others may provide full access to their NFTs and Tokens," the researchers said.