NFTs in the wrong storage compromise user IP address

The Open Sea platform has recently come into the spotlight: it turned out that NFTs using centralized storage can intercept the IP addresses of unsuspecting users. Apparently, while users collect NFTs, NFTs can collect user data.

According to researchers from Convex Labs and OMNIA protocol specialists, the OpenSea NFT marketplace and the Metamask browser wallet have registered cases of IP address leaks related to the transfer of non-fungible tokens (NFT).

NFT data hosted on OpenSea may be intercepted

The first to sound the alarm was Nick Bax, head of research at NFT Convex Labs. Bax decided to check how NFT trading platforms like OpenSea store information, and whether it threatens user data.

Source: Nick Bax Twitter.

It turned out that the platform only captures metadata and does not care about the way the NFT data itself is stored. So if someone just looks at NFTs that are stored on a centralized platform, it allows NFT providers or attackers to collect IP addresses and do other malicious things.

Bax demonstrated this by creating his own IP address logger — actually, it looks like NFT on OpenSea. Simpsons and South Park crossover image has the description: 'I just right click + saved your IP address'. Researcher proved that when a user is viewing the NFT, it downloads its own code that registers the viewer's IP address and shares it with the seller.

Bax shared the results of his experiment on Twitter, noting that he 'does not consider my OpenSea IP logging NFT to be a vulnerability' because 'it just works that way.'

Source: Nick Bax Twitter.

It is important to remember that NFTs are inherently part of the program code or digital data that can be transmitted or extracted using the blockchain. Due to the limitations on the amount of data and the high cost of storage, the actual data (an image, audio, video or other) is stored on a remote server, while only the URL of the asset is located in the blockchain. When NFT is transmitted to the blockchain address, the receiver’s crypto wallet gets only metadata. It extracts the data itself in the form of an image at the usual URL contained in the NFT.

Later, Bax explained the technical details in a message from Convex Labs on Medium. According to it, OpenSea enables NFT creators to add additional metadata that allows the use of file extensions for HTML pages. If the metadata is stored as a json file in a decentralized storage network such as IPFS, or on remote centralized cloud servers, then OpenSea can download the image, as well as the pixel recorder of the 'invisible image' and place it on its own server. Thus, when a potential buyer views the NFT on OpenSea, he loads an HTML page and extracts an invisible pixel that shows the user's IP address and other data such as geolocation, browser version and operating system.

The most surprising thing is that it is not even necessary to use a platform like OpenSea to collect IP addresses. NFTs can do this by themselves if someone uses Metamask for example.

Metamask privacy issues related to centralized storage also

Analyst Alex Lupascu, co-founder of the OMNIA Protocol, performed his own research with the Metamask mobile application with similar results. He discovered a way that allows the provider to send NFT to the Metamask wallet and get the user's IP address. He created his own NFT on OpenSea, transferred ownership of the NFT via airdrop to his Metamask wallet, and concluded that he had discovered a 'critical privacy vulnerability.' Lupascu described the potential consequences in Medium blogpost.

'A malicious actor can mint an NFT with the remote image hosted on his server, then airdrop this collectible to a blockchain address (victim) and obtain his IP address', — explained Lupascu.

He also expressed concern that the use of centralized repositories opens the door to malicious actions. For example, if an attacker directs a butch of NFTs to one URL and sends them to millions of wallets, this can lead to a large-scale DDoS attack. Lupascu thinks that the leakage of personal data can lead to kidnapping too.

Analyst also suggested that a potential solution might require the explicit user confirmation for obtaining a remote NFT image: Metamask or any other wallet will message the user that someone is receiving a remote NFT image, and warn the user that his IP address may be disclosed.

Dan Finlay, CEO of Metamask, responded to Lupascu on Twitter, saying that 'this issue has been widely known for a long time”. Despite this fact they are starting work to fix it and improve user security and privacy, he said.

'The fight for more privacy is an important one. People are underestimating the risks of no privacy' — Vitalik Buterin.

Even Vitalik Buterin admitted off-chain privacy issues within Web3. On a recent UpOnly podcast episode, Buterin said that 'the fight for more privacy is an important one. People are underestimating the risks of no privacy', adding that the 'more crypto-y everything becomes', the more exposed we are.

The red line

The security and confidentiality of user data is what decentralization is basically needed for. Therefore, the inheritance of problems that exist in centralized systems contradicts the meaning of NFT.

In fact, it turns out that NFTs store only metadata in a decentralized manner, and the NFT data itself is often stored on centralized servers, which not only opens doors for personal data gathering, but also creates an opportunity for malicious actions.

Centralized storages should stay behind the red line and become taboo for NFT. NFT data should be stored in a more secure way in a truly decentralized network, where the user has full control over all their interactions with the data and use scenarios.

DeNet offers exactly such a storage layer, where the main principles are decentralization and full control of data in the user's hands.

The first cases of interacting with the NFT data storage are already tested by DeNet developers. Targeting to increase security and privacy, DeNet will use its own protocol and a browser plugin that verifies and certifies data to access NFT data. Therefore the user can be confident that he sends and receives exactly the data that he is requesting.

Decentralized storage also gives the user more control over his/her NFT data. User will be able to manage access to this data in the same way as access to a file is controlled in any other advanced network file system.

Thus, the use of a decentralized DeNet network for storing NFT data not only demolishes privacy risks and makes it impossible to gather IP addresses without user knowledge, but also eliminates other issues of centralized systems. For example, the mentioned above DDoS-attack becomes impossible. If the file is stored in a decentralized network, then mass requests for this file will lead to more nodes starting to distribute this file. The attacking servers will face not a centralized server, but a wide network of nodes, so the attack itself loses its meaning.

Moreover, the use of economic incentives also makes it pointless to use decentralized storage to attack centralized servers, because a potential hacker would have to pay for the extraction of content, while it would be easier and more profitable to connect to the network and provide storage services.