Decidedly, the web3 is still far from the ideal world that we are promised. Check Point security researchers have just revealed an incredibly easy-to-exploit flaw in Rarible, a popular NFT marketplace. They showed that one could embed JavaScript code in an SVG image to create a malicious NFT. It is then sufficient for the hacker to send the victim a link to this NFT for this code to be executed.
In their demonstration, the researchers execute a “setApprovalForAll” type transaction, which gives the attacker a right of control over the victim’s NFTs. Admittedly, the latter must still manually validate this operation, but the screen presented does not really allow the associated risk to be entered. Once this operation has been validated, the pirate can proceed to the transfer of the NFTs, in complete peace of mind.
Also see video:
This attack is not theoretical. She was used to scam Jay Chou, a Taiwanese singer and actor. After clicking on such a link, he was stripped of a particularly prized NFT, namely a “Bored Ape”. Subsequently, the pirate sold this work for 500,000 dollars. The good news is that the loophole that allows this kind of attack to be carried out has since been closed.
Rarible is not the first marketplace to be confronted with these security issues. Last February, hundreds of NFTs unexpectedly changed ownership due to a protocol flaw. In October 2021, Check Point researchers had also observed phishing attacks on OpenSea users, with the aim of stealing NFTs. A scam that allowed hackers to amass millions of dollars. It’s a real jungle.
Source: check point