This special NFT can steal your IP address

Nick Bax, head of research at NFT organisation Convex Labs, is in charge of analysing problems in the NFT space – with a focus on fraud – and was working one day when he discovered hackers can intercept the IP addresses of unsuspecting users when transacting NFTs on OpenSea marketplace. 

To shed light on this issue, Bax and his team are currently working on multiple NFTs that harvest peoples'' IP addresses. In one of these NFTs, titled "I just right-click + saved your IP address," on OpenSea, is an image from a Southpark scene in the recognisable art of The Simpsons. This particular NFT records a viewer's IP address and shares it with Bax. This demonstrates when a user is viewing the NFT, the marketplace downloads its own code that registers the viewer's IP address and shares it with the seller.

According to Bax’s blogpost on Medium, OpenSea enables NFT sellers to add an "animation_url" to the NFL's metadata. This animation_url supports HTML files which – like Bax's NFT – contain an IP harvesting bit of code from a site called IPlogger.org. When the metadata is saved as a json file on a decentralized storage network, or centralized cloud servers, OpenSea can download the image song with the pixel recorder to place on its server. As a result, when an NFT viewer browses the NFT on OpenSea, he loads an HTML page and can take an invisible pixel with details on the user’s IP address and other information such as geolocation, browser version and operating system. 

On a related note, Alex Lupascu, co-founder of privacy and blockchain company Omnia, described how his team discovered that MetaMask had an issue where an attacker was able to mint an NFT and then send it to a victim to obtain their IP address. He created his own NFT on OpenSea, transferred its ownership to his Metamask wallet and discovered a ‘critical privacy vulnerability.’

He stated that the use of centralized repositories to store digital assets renders the user’s personal data vulnerable to attackers with malicious intents.

Metamask later responded to Lupascu that they had already begun its mission to fix the issue.

These IP-grabbing NFTs can be useful to many, including malicious and legitimate parties. WhileOpenSea's terms of service prevent these data from being used for marketing or scamming purposes; its terms could prove difficult to enforce.

Bax tested his IP-grabbing NFT on multiple platforms apart from OpenSea, including Rarible, LooksRare, and MetaMask. His animation_url

exploit only seemed to work on OpenSea.

The Bottom Line

Protecting your personal data is vital to your existence in the digital asset world. Centralized storage defeats the decentralized nature of NFTs, as NFTs only store metadata in a decentralized manner but they are often stored on centralized servers. As aforementioned, this makes NFTs vulnerable to attackers.

On the bright side, some actions can be taken by users to protect them from these special NFTs, like using a VPN – which becomes insufficient when the threat includes an adversary with access to netflow data. Blocking scripts are also useful, but as a downside, the NFT (image, GIF, etc.) would not render.

DeNet (Decentralized Net) developers are offering a truly decentralized network to give users full control over their NFTs and personal data. DeNet’s protocol and its associated browser plugin verifies and certifies data to access NFT data to protect the users. On a decentralized DeNet network, it will be impossible for attackers to collect IP addresses without the user’s consent as opposed to the centralized storages.

Photo: Nick Bax