Critical privacy vulnerability — getting exposed by MetaMask


The basics

Fig. 1 — NFT Basics

What if?

Fig. 2 — Leaking of IP address
Fig. 3 — Minting an NFT item on
Fig. 4 — OpenSea NFT details
Fig. 5— Creating an ERC-1155 contract
Fig. 6— Setting the smart contract address
Fig. 7— Fetching the NFT's remote image URL
Fig. 8— Smart contract interaction history
Fig. 9— Set URI function signature
Fig. 10 — Adding setURI function
Fig. 11 — Generating public url for local server
Fig. 12 — Updating NFT's remote image URL
Fig. 13 — Collectible detected in MetaMask Mobile app
Fig. 14 — Leaked IP address


Why is this important ?

Potential mitigation solutions


Responsible disclosure and motivation

Later edit




Co-founder @

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Governance Proposal: Blacklisting

Cloud-Based Gaming: A Game Changer For Security?

MA-02 — WindowsAPI Library

{UPDATE} The Quiz for Doraemon Hack Free Resources Generator

{UPDATE} 罪与罰 Hack Free Resources Generator

TryHackMe : Bounty Hacker (Write-Up)

SafeMars & SafeEarth community updates 9 Apr 2021

Student Success Story: Ezra Jackson Jr.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Lupascu

Alex Lupascu

Co-founder @

More from Medium

Bolide Introduces Innovative Yield Optimization Protocol with Initial Deployment on Binance Smart…

In-depth Practice, Use Starcoin’s DAO to Update On-chain Configuration | Starcoin

AUSD Arbitrage Story

Cudo Compute & Cudos Blockchain