A dangerous vulnerability in Rarible, a non-currency token (NFT) marketplace, has been discovered and patched. The danger of this security breach was such that it was possible that some users would lose all their NFTs if the attack was successful. Investigations indicate that this attack was carried out using a malicious NFT in the Ribble market itself.
According to Coielegraph, the research arm of the cybersecurity software company Check Poi (Check Poi) has announced that it has managed to ideify a vulnerability in the Rarable NFT trading market that puts the security of the assets of 2 million mohly active users of this market at risk. placed so that it is possible for each user to lose their NFT in one transaction.
Check Poi is a multinational information technology security company that was established in 1993. The company claims that in October 2021 (Mayrah 1400) it had also ideified malicious vulnerabilities in the OpenSea NFT trading market.
According to Check Poi’s experts, it was discovered that the attackers se a NFT link to users and if the user clicks on “attempts to send a setApprovalForAll request to the victim” in the target link, a JavaScript code is executed. which will leave the authority of users’ wallet accous on the Rarable platform to the hands of thieves.
According to Check Poi’s stateme, Rebel was alerted about this vulnerability immediately on April 5 (April 16), and the platform immediately acknowledged and fixed this security flaw.
Also read: Iroducing the biggest non-currency token (NFT) markets
If attackers managed to exploit this vulnerability, they would be able to take full corol of the platform’s users’ wallets and steal their NFTs in a single transaction. The attack could have been through a malicious NFT in the market itself to make users less suspicious.
NFT theft
Oded Vanunu, head of product vulnerability research at Check Poi, said he and his team became ierested in tracking these types of scams after Taiwanese singer Jay Chou fell victim. This singer’s Board Ip token number 3738 was stolen through a malicious transaction. With the occurrence of this theft, the motivation of Vanunu and his team to investigate these vulnerabilities increased. According to him, this abuse of security breaches can also happen on many other platforms.
Ribble quickly confirmed the meioned security flaw and fixed it by removing the “SVG” file upload option, thus thwarting the malicious NFT attack.
Vanuno declined to estimate the poteial value of theft that could occur using this security flaw; Because this attack could happen to any user of the platform. Notably, a similar attack on just one wallet owned by DeFiance Capital founder Arthur0x last moh resulted in the loss of approximately 600 Ether (equivale to $1.86 million).
The security firm asked users of NFT trading platforms to be careful when confirming requests and, when unsure, confirm all of them through the Etherscan request tracker.
