Researchers Discover Vulnerability on Rarible, Might Exist on Other Platforms

Check Point, a cybersecurity software firm, recently found a weakness in the Rarible NFT marketplace which puts its approximately 2 million active users and their NFTs at risk. The IT security company also previously discovered issues on Opensea in October 2021 which were related to malicious airdrops.

Certain bad actors can easily send users with a dubious link to an NFT, which will then execute a JavaScript code after clicking that “attempts to send a setApprovalForAll request to the victim” and give hackers full access to the users’ wallets, according to Check Point Research (CPR). Rarible has since been notified regarding this vulnerability.

“If exploited, the vulnerability would have enabled a threat actor to steal a user’s NFTs and cryptocurrency wallets in a single transaction. A successful attack would have come from a malicious NFT within Rarible’s marketplace itself, where users are less suspicious and familiar with submitting transactions,” explained the NFT platform.

The team at Check Point became interested in exploring this type of scam following a similar attack on Taiwanese singer Jay Chou, who lost his BoredApe #3738 earlier this month, according to the head of products vulnerabilities research Oded Vanunu. “Once we saw that this NFT was stolen, it gave us the incentive to investigate further,” Vanunu explained.

“Rarible acknowledged the security flaw quickly and fixed it by removing the SVG file upload option. This terminated the malicious NFT attack option,” he added, noting that these kinds of vulnerabilities might also exist on other platforms. Following the discovery, CPR has since cautioned other users to always verify any requests they receive on NFT marketplaces. The team also suggested utilizing the request tracker of Etherscan when in doubt.

Source: CoinTelegraph