NFTs are generally a passive business. A consumer buys the token and then sells or stores the NFT. The NFT really doesn’t do anything.
Some new NFTs are being used to harvest viewers’ IP addresses, however, in a demonstration of how NFT marketplaces like OpenSea allow vendors, or attackers, to load custom code when someone simply views an NFT listing.
“We researched a lot of issues in the NFT space (with more of a focus on fraud) and one of the things we were playing with was different XSS attacks on websites that display NFTs, that’s to That’s when I realized we could get OpenSea to load HTML pages,” Nick Bax, head of research at the NFT Convex Labs organization, told Motherboard during an online chat. refers to cross-site scripting attacks, one of many types of attacks someone could use an NFT for.
Bax and a team of engineers and contributors are working on several NFTs that harvest people’s IP addresses. One, which includes a Simpsons and South Park crossover image, surreptitiously collects the viewer’s IP address and stores it in a panel for Bax to see later.
“I just right clicked + saved your IP address”, the description for NFT on OpenSea bed.
Do you know of any other data collection NFTs? We would love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox or by email [email protected].
Another NFT displays the viewer’s IP address in the NFT itself while viewing it on OpenSea. The motherboard verified this by loading the OpenSea list from the article; it correctly displayed the IP address of a VPN server used by Motherboard.
“Total number of registered visitors: 85,” read the NFT at the time of writing.
Of course, websites often collect and store visitors’ IP addresses by virtue of how the sites operate. OpenSea itself probably collects visitors’ IP addresses, like many other sites, apps, or services. But here, an outside third party – the NFT seller – is able to gather information about people viewing the NFT themselves, potentially without their knowledge.
Armed with an IP address, an attacker can first determine a viewer’s coarse location, usually at least as far back as the city they are connecting from. Attackers can also use this information to try to dig up other details, like potentially their real name or physical address if this data was stored elsewhere or included in a previous breach from another site.
The problem is that OpenSea allows NFT vendors to add an “animation_url” to the metadata of the NFT, Bax explained in a tweet. This animation_url supports HTML files, he added. The HTML file for this data-logging NFT includes a piece of commonly used IP-gathering code from a site called IPlogger.org, he added.
Last week, Alex Lupascu, co-founder of privacy and blockchain company Omnia, describes how his team discovered This popular MetaMask cryptocurrency wallet had an issue where an attacker could mint an NFT and then send it to a victim to get their IP address. In this demo, the token directed the user’s wallet to a server which grabbed the image to display in their wallet. Since NFTs usually only contain a URL pointing to a server containing the actual image, rather than the image itself, Lupascu designed a setup where an attacker controls that server and retrieves the IP address of the user when the wallet retrieves the image. According to Lupascu, this could in theory be used to launch a distributed denial of service attack that overloads a specific URL with traffic.
MetaMask founder Daniel Finlay later said they were starting to work to solve the problem raised by Lupascu.
For OpenSea and these new NFTs, Bax said in a tweet that he doesn’t consider OpenSea to allow this type of activity to be a vulnerability in OpenSea itself, so he hasn’t contacted the company. to disclose the problem. OpenSea did not respond to Motherboard. request for comment.