Critical privacy vulnerability — getting exposed by MetaMask


The basics

Fig. 1 — NFT Basics

What if?

Fig. 2 — Leaking of IP address
Fig. 3 — Minting an NFT item on
Fig. 4 — OpenSea NFT details
Fig. 5— Creating an ERC-1155 contract
Fig. 6— Setting the smart contract address
Fig. 7— Fetching the NFT's remote image URL
Fig. 8— Smart contract interaction history
Fig. 9— Set URI function signature
Fig. 10 — Adding setURI function
Fig. 11 — Generating public url for local server
Fig. 12 — Updating NFT's remote image URL
Fig. 13 — Collectible detected in MetaMask Mobile app
Fig. 14 — Leaked IP address


Why is this important ?

Potential mitigation solutions


Responsible disclosure and motivation

Later edit




Co-founder @

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Oasis ROSE Garden

VoxoDeus 2021 Roadmap

Deposit and Withdraw Binance (BNB) on Wollito.

{UPDATE} Stunt Car Challenge 3 Hack Free Resources Generator

The Wonderful World of Digital Signatures: ECDSA, EdDSA, BLS, CL, Merkle, and so much more

Cryptography 101: RSA Algorithm

Hello Digital World! Do You Remember Me?

Can you prove that you know the answer to a question, without revealing the answer?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Lupascu

Alex Lupascu

Co-founder @

More from Medium

Access to blockchain infrastructure — market opportunities and challenges

Security Incidents in December

Finance: Definer As A Financial Platform