{"id":400093,"date":"2022-01-27T23:00:00","date_gmt":"2022-01-27T20:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/this-proof-of-concept-nft-can-swipe-unsuspecting-users-ip-addresses\/"},"modified":"2022-01-27T23:00:00","modified_gmt":"2022-01-27T20:00:00","slug":"this-proof-of-concept-nft-can-swipe-unsuspecting-users-ip-addresses","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/this-proof-of-concept-nft-can-swipe-unsuspecting-users-ip-addresses\/","title":{"rendered":"# This proof of concept NFT can swipe unsuspecting users&#8217; IP addresses"},"content":{"rendered":"<p>&#8220;<strong># This proof of concept NFT can swipe unsuspecting users&#8217; IP addresses <\/strong>&#8221;<br \/>\n<img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMDEvMWRhZjRiMDktOGI5YS00Y2QyLTgzMzEtMmU5MTEyMzNlNjM3LmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-128018ef>Both OpenSea and Metamask have logged cases of IP address leaks associated with transferring nonfungible tokens (NFTs), according to researchers at Convex Labs and OMNIA protocol.<\/p>\n<p>Nick Bax, head of research at NFT organization Convex Labs tested out how NFT marketplaces like OpenSea allow vendors or attackers to harvest IP addresses. He created a listing for a Simpsons and South Park crossover image, entitling it \u201cI just right click + saved your IP address\u201d to prove that when the NFT listing is viewed, it loads custom code that logs the viewer&#8217;s IP address and shares it with the vendor.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">This NFT logs your IP address:<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/hB34JuJLH9\">https:\/\/t.co\/hB34JuJLH9<\/a> <\/p>\n<p>\u2014 Nick (Bax.eth) (@bax1337) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/bax1337\/status\/1485606353255206915?ref_src=twsrc%5Etfw\">January 24, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\nIn a <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Twitter<\/a> thread, Bax admitted that he &#8220;does not consider my OpenSea IP logging NFT to be a vulnerability&#8221; because that is simply &#8220;the way it works.&#8221; It&#8217;s important to remember that NFTs are, at their core, a piece of software code or digital data that can be pushed or pulled. It is quite common for  the actual image or asset to be stored on a remote server, while only the asset&#8217;s URL is on-chain. When an NFT is transferred to a blockchain address, the receiving crypto wallet fetches the remote image from the URL associated with the NFT.<\/p>\n<p>Bax further <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/medium.com\/@convexlabs\/this-nft-logs-your-ip-address-7f6f9cf2376e\">explained<\/a> the technical details in a Convex Labs Medium post that OpenSea\u00a0allows NFT creators to add additional metadata\u00a0that <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.opensea.io\/docs\/metadata-standards\">enables<\/a> file extensions for HTML pages. If the metadata is stored as a json file on a decentralized storage network, such as IPFS or on remote centralized cloud servers, then OpenSea can <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a> the image as well as an \u201cinvisible image\u201d pixel logger and host it on its own server. Thus, when a potential buyer views the NFT on OpenSea, it loads the HTML page and fetches the invisible pixel that reveals a user\u2019s IP address and other data like geolocation, browser version and operating system.<\/p>\n<p>Analyst Alex Lupascu, co-founder of the privacy node service OMNIA Protocol, conducted his own research with the Metamask mobile app with similar effects. He discovered a liability that allows a vendor to send an NFT to a Metamask wallet and obtain a user&#8217;s IP address. \u00a0He minted his own NFT on OpenSea and transferred the ownership of the NFT via airdrop to his Metamask wallet, and concluded finding a &#8220;critical privacy vulnerability.&#8221;\u00a0<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">My team and I discovered a critical privacy <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/vulnerability?src=hash&amp;ref_src=twsrc%5Etfw\">#vulnerability<\/a> in the most popular <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/crypto?src=hash&amp;ref_src=twsrc%5Etfw\">#crypto<\/a> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/wallet?src=hash&amp;ref_src=twsrc%5Etfw\">#wallet<\/a>.<\/p>\n<p>Are you using MetaMask ?<br \/>Well, I have bad <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a> for you &#8211; your <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/privacy?src=hash&amp;ref_src=twsrc%5Etfw\">#privacy<\/a> is at risk!<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/samczsun?ref_src=twsrc%5Etfw\">@samczsun<\/a> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/gakonst?ref_src=twsrc%5Etfw\">@gakonst<\/a> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/VitalikButerin?ref_src=twsrc%5Etfw\">@VitalikButerin<\/a> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/cz_binance?ref_src=twsrc%5Etfw\">@cz_binance<\/a>  <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/phildaian?ref_src=twsrc%5Etfw\">@phildaian<\/a> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/ar30UMzR1G\">https:\/\/t.co\/ar30UMzR1G<\/a><\/p>\n<p>\u2014 Alex Lupascu (@alxlpsc) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/alxlpsc\/status\/1484102749566476291?ref_src=twsrc%5Etfw\">January 20, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong><em>Related:\u00a0MetaMask\u2019s new inbuilt multichain institutional custody feature<\/em><\/strong><\/p>\n<p>In a Medium post, Lupascu described the potential consequences of how a &#8220;malicious actor can mint an NFT with the remote image hosted on his server, then airdrop this collectible to a blockchain address (victim) and obtain his IP address.&#8221; His concern is that if an attacker gathers a collection of NFTs, points all of them to a single URL and airdrops them to millions of wallets, then it could result in a large scale distributed denial-of-service, or DDoS attack. Having personal data leaked can also lead to kidpnapping, according to Lupascu.\u00a0<\/p>\n<p>He also suggested a potential solution could be requiring explicit user consent when it comes to fetching the remote image of the NFT: Metamask or any other wallet would prompt the user that someone on OpenSea or another exchange is fetching the remote image of the NFT, and informing the user that his or her IP address may be exposed.<\/p>\n<p>Dan Finlay, CEO of Metamask,\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/danfinlay\/status\/1484226834610810880?s=20\">responded<\/a> to Lupascu on Twitter stating that even though &#8220;the issue has been known for a long time,&#8221; they are now starting work to fix it and improve user safety and privacy.<\/p>\n<p>That same day, even Vitalik Buterin recognized the challenges of off-chain privacy within Web3. On a recent UpOnly podcast episode, Buterin said that &#8220;the fight for more privacy is an important one. People are underestimating the risks of no privacy,&#8221; adding that the &#8220;more crypto-y everything becomes,&#8221; the more exposed we are.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"nifty_newsletter\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more News articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/this-proof-of-concept-nft-can-swipe-unsuspecting-users-ip-addresses\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;# This proof of concept NFT can swipe unsuspecting users&#8217; IP addresses &#8221; Both OpenSea and Metamask have logged cases of IP address leaks associated with transferring nonfungible tokens (NFTs), according to researchers at Convex Labs and OMNIA protocol. Nick Bax, head of research at NFT organization Convex Labs tested out how NFT marketplaces like&#8230;<\/p>\n","protected":false},"author":1,"featured_media":400094,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/images\/1200_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMDEvMWRhZjRiMDktOGI5YS00Y2QyLTgzMzEtMmU5MTEyMzNlNjM3LmpwZw==.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[15047,74894,125002,80097,95118,86389],"class_list":["post-400093","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-privacy","tag-blockchain","tag-ip-addresses","tag-mobile-wallet","tag-nft","tag-marketplace"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/400093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=400093"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/400093\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/400094"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=400093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=400093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=400093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}