Imperva specialists have recently discovered a vulnerability in the NFT marketplace OpenSea that could have exposed user data.
This bug allowed for clients to be deanonymized by connecting an IP address, browser session data and email to a certain NFT.
After examination, it was determined that the problem was caused by an incorrect configuration of the iFrame-resizer library.
This misconfiguration enabled the aggregation of data by means of cross-site search. Through this, an attacker could send phishing links to potential victims.
In December 2022, OpenSea had already been hit with a multi-million dollar attack.