“NFT” was the buzzword in the crypto scene in the last few years. The technology is new, and an incredible number of new and inexperienced people have started to work with it. The huge developer community in crypto and NFT space means a lot of new applications and projects are created every day. On the other hand, it also means a lot of solution is never really checked from a security point of view, and lots of bugs can be found in the community-developed programmes. So, this post is not about the usability of NFTs or my opinion about them. It is to provide some high-level explanation of the security issues that can affect people who use or own NFTs.
Not a long time ago I was involved in a project to help a developer team out with some security bugs. They were (and are) a small team that started to develop an NFT viewer on a young blockchain. Their project was a school assignment and they have never really had any security training. Over time, this NFT viewer was downloaded and used by more than 1,000 people (this was a huge number compared to the size of the chosen blockchain).
They got a report (email) describing a bug in their tool, but they did not understand how it worked, and how an attacker could abuse it. Long story short, I helped them understand, replicate and resolve the bug (as an advisor only).
This post won’t contain the exact bug but a more general introduction of potential issues with NFTs. This is the topic we discussed with the team, and since then it also came up in a different situation, so I decided to collect my thoughts and share them in a blog post.
A nice related comment from Malwarebytes:
‘Even though the blockchain technology itself is secure, the applications that are built on or around it, such as websites or smart contracts, don’t inherit that security, and that can cause problems.’
Blockchain developers usually have the necessary budget and experience to create secure chains. But the independent coders creating community tools to interact with those blockchains are frequently inexperienced.
How NFTs works
If you don’t know what an NFT is, I suggest you look up the Wikipedia article.. Here, I’m going to oversimplify it and talk about image NFTs which are somehow accessible through a blockchain.
The first thing, that lots of people don’t know is that most of the time the NFT is not stored on the blockchain. Frequently, the blockchain stores a link that points to a storage website where the actual image (or any other NFT) is stored. But it is indeed possible to store some smaller files on the blockchain directly, so we can’t exclude that option. Also, when an NFT is created you can add metadata to it, which is going to be stored on the blockchain.
All these entities of an NFT can be abused this or that way.
Some dangers
Changing the image in the background
When you buy the NFT, most of the time, you don’t really buy the asset itself, you will only own a link to it, like a map to the treasure. But the original NFT creator will be the one who owns the treasure itself. In case of an image, you own the link to the image on the blockchain, but the original owner is the one who can remove or change that image on the storage website. Similar rag pulls (scam) and explanations can be found here: Iconics or here neitherconfirm. These links can help you understand the problem.
This means a potential attacker can swap an image to anything else. It can be another image or an absolutely different file. Most of the time NFTs are just images, texts, videos, or audio files, but it is also not impossible to use an executable as an NFT.
The attacker only has to find a vulnerability in an NFT viewer (let it be an online tool or an app) and switch the NFT to an exploit or malicious code. At this point, you are already in danger when you open your own NFTs/wallets with the given NFT viewer. So, something you trust and believe to be innocent can quickly become a malignant asset. And the attacker doesn’t even have to break into any system directly because he owns the NFT, so he can easily change it on the storage website.
Mitigation:
- IPFS: IPFS storage does not allow the change of an uploaded file. The link to a file is tied to its hash. Thus, if an attacker tries to change the NFT the link also going to change, and it won’t match the link in your wallet anymore.
- Block the underlying website: Most of the time the real NFT is not on the blockchain, it is stored in a background website. One can easily block a website like this with classic security tools. Blocking the blockchain itself would be much trickier because it is frequently queriable through various APIs, domains, and IPs.
Storing the malicious code directly on the blockchain
While most of the NFTs are not stored on the blockchain, some related metadata usually can be found on the chain itself. Information like the name, the rarity and a short description can be stored on the chain. Depending on how the metadata is processed by an NFT viewer, it can contain an exploit. This was the case with the NFT viewer I talked about in the first section. JavaScript code execution was possible because of the way the viewer handled the metadata.
Usually, the metadata is encoded (base64 for example) and it is stored on the blockchain this way. An NFT viewer can query the blockchain, gather the data, decode it and then show it to the user. If this metadata contains an executable code (or any exploit) an incorrectly coded viewer can easily become a victim. It is easy to see how an NFT viewer website can be abused to execute a javascript code stored on the blockchain as metadata.
Also, this information is going to remain on the blockchain forever. You can’t just change or remove it. This means until you send that NFT to a different wallet the malicious code will be executed every time you open your wallet with the vulnerable NFT viewer. Even worse, if somebody else checks your NFTs – and anybody can do that – with the same NFT viewer the malicious code will run again. So, patching a vulnerability like this in any tool is really important as getting rid of the malware/exploit itself is not viable.
Whether any metadata is stored on the chain or not depends on the chain itself and on the method the creator decided to use.
Propagation I
When we are talking about malware, one of its key capabilities is the way it propagates. In case of an NFT-based malware, the propagation is pretty straightforward. Anybody can send any NFT into any wallet (at least this is how it works generally).
In the previous section, I explained that a potential attacker who really owns the NFT can switch the underlying asset to a malicious one. But actually, it is not even needed. They don’t have to wait for you to buy something. If they find a vulnerability in an NFT viewer site or tool, they can just send you a random NFT that abuses the given vulnerability. As soon as you open your wallet with the vulnerable tool, they can potentially execute their attack.
For this, or any other methods to work you obviously have to open the NFT with a vulnerable solution. If you don’t use that viewer, you are not in danger then and there. But the attackers frequently have the ability to trick you into using a specific tool. But with this, we are back at the traditional malware infections, so it is not relevant for us.
This is something, that a lot of people can’t really process yet. In the past, when you had a secure storage (on-premise), somebody actually had to hack your network to put a file in it. This changed a little bit with cloud storage options. People can just send you an invitation to their folder, and it is going to appear to you as one of your own (marked as a shared folder). So, something malicious is already there in your storage.
But it is even worse in case of NFTs. You don’t even have the option to prevent something from arriving into your wallet. It is also not trivial to remove it once it is there. And just by opening your own wallet, the malicious code can be executed, while in case of a cloud storage you usually have to download and execute the malicious file.
Propagation II
A subversion of the above-mentioned propagation is when an attacker sends an NFT to a well-known influencer. Lots of people monitors and constantly checks influencers’ wallets. This is to find out early which new NFT is going to be famous and expensive in the future (this is why a lot of influencer uses a newly generated wallet before announcing a cooperation).
Sending a malicious NFT into an influencer wallet can potentially infect a lot of people who opened that wallet of the famous person with a vulnerable tool. And since a lot of people monitor this, this can be a superb way to infect people.
Considering that people frequently use a lot of wallets to hide their activity, even sending the malicious NFT to a different wallet is not always a solution. When you want to monitor the activity of an influencer you are not only need to monitor one wallet but a network of wallets. So, when the malicious NFT is sent to a random address, there is a chance that a lot of people will open that wallet as well in the future, because they will think it is one of the real wallets used by the influencer to cover its activity.
Privacy and legal issues
Once something is on the blockchain, it can’t be removed. You can forward it to a different address, or you can send it to a burning wallet. But even after sending to a differnt wallet or burning it, the token is still visible, it just can’t be moved anymore. You can try to keep your PI private, but once somebody uploads your personal info to the blockchain and –let’s say- sends it to you as an NFT (like info on an image), you won’t be able to get rid of that. You can send it to a different random address, but it will be available there and anybody can track it back to you.
Also, what happens if somebody sends you some illegal material this way? You either keep it and then you own the illegal image, or you send it somewhere, but then you propagate the illegal material. A lose-lose situation to you. So, be careful.
Even if the image or info is not stored on the blockchain, it does not mean you can get rid of it. Since you won’t have access to the site that stores it.
Identity, domain, and other services through NFTs
Not related to the previously mentioned malware propagation technique, but other products with potential security implications are also in development. In fact, some of them already exist on various blockchains.
Products like domain services, PKI infrastructure, or Identity Providing services can inherit a lot of blockchain-specific benefits. On a blockchain, you really own your data, and you don’t have to rely on a third party. Also, a decentralized blockchain can provide high availability for these services. Solutions on a blockchain can also have the attribute of being censorship-resistant.
Overall, a big benefit of a blockchain is that you don’t need an active third party to carry out the above-mentioned tasks. But it can be also a big drawback if an issue appears. If your domain or identity is stored as an NFT and you somehow lose access to your wallet that stores this data, or somebody compromises your wallet, then there is no way to restore it for you. In a decentralized blockchain, nobody will be able to help you restore your wallet. By losing access to the wallet (or losing the NFT), you won’t be able to login into an account or you won’t be able to revoke a compromised PKI certificate anymore.
Some of these problems can be solved by a central authority, but then the central entity will be the bottleneck.
Just something to be aware of.
Conclusion
It is important to see, that in these cases the security issue is not in the blockchain, not directly related to the coin or token. In these situations, the actor abuses the vulnerability of an application or a website by using one of the capabilities of the blockchain to make an attack more effective.
The creators of the blockchains (and coins) are usually familiar with security issues, thus they are not the ones responsible for these vulnerabilities. The reason why the above-mentioned points are and will be relevant are the following:
- A huge number of low-skilled or beginner coders are interested in the blockchain technology, and due to this a lot of amateurs and potentially vulnerable sites and apps are created. A lot of these tools can become famous out of nowhere, and for small developer teams it is hard to quickly adapt to the increased interest in their programme.
- Security issues that are related to the blockchain technology but are not tied to the chain itself are not thoroughly researched and discussed.
- NFTs became available to a lot of people without them understanding the technology and the related risks.
Even though I have not encountered a malware yet using any of the above-mentioned methods, I have already met with various vulnerabilities in NFT-related tools which could have potentially been abused. It is just a question of time when a malware using this initial access method shows up.