This NFT Logs Your IP Address
Author: Nick Bax
Last week, researchers at OMNIA Protocol published what they considered to be a critical privacy vulnerability in MetaMask. By sending an NFT to users of a mobile MetaMask wallet they were able to obtain user IP addresses when MetaMask fetched IP address data from a centralized server. After OMNIA’s disclosure MetaMask stated that they would fix it soon.
I was surprised to see how many people were surprised by this disclosure. At HonestNFT, we’ve been researching shenanigans in the NFT space for over a year and have observed many NFT-related occurrences, including IP address-tracking NFTs, that we consider “anomalous”. Others have even released suites of fun NFT-based exploits.
“Right Click + Saving” OpenSea Visitor IPs
Here, I describe another effective and easy-to-deploy method to obtain someone’s IP address using NFTs.
This NFT logs your IP address and shares it with me when you view it on OpenSea.io: https://opensea.io/assets/0xffeff7efffee76e8effef86f4eeef74e9ef527ca/0
I don’t consider this to be a vulnerability (if I did, I would’ve responsibly disclosed it). Instead, everything is working as described in OpenSea’s documentation, terms of service, and privacy policy.
Most NFTs just have an ‘image’ associated with them. However, OpenSea allows NFT creators to add additional metadata including an “animation_URL” field. The animation_url allows for numerous file extensions including HTML pages.
An IPFS-hosted json stores the NFT’s metadata, including an image and an animation_url. OpenSea downloads the image and hosts it on their own server.
The animation_url points to an HTML file with a .gif portrait of a 1337 haxx0r right click + saving your IP address and also includes an “invisible image” pixel logger from https://iplogger.org/ as the background.
When you view the NFT on OpenSea.io it loads the HTML page (in an iframe) and fetches the invisible pixel, thus revealing a user’s IP address and user agent data (e.g. browser version, operating system). I haven’t tested more aggressive fingerprinting yet.
IPlogger.org’s terms and conditions prohibit me from sharing the link to the logs. You’ll have to take my word for it that I can see the IP address as well as user agent data for anybody who visits the OpenSea page.
Real World Impact
IP address data for NFT users can be very valuable to many entities including marketers, hackers, scammers, and feds. OpenSea’s terms of service prohibit using this data for marketing or scamming purposes however this seems like it’d be difficult to enforce.
NFTs such as this one make it trivial to obtain target IP addresses. A “spray and pray” method — sending IP logging NFTs to many users and hoping that they view them — could allow an actor to obtain data for many NFT users; however, this would be expensive because, by default, OpenSea only displays NFTs on Ethereum mainnet and transferring these costs ~$50 in transaction fees.
Realistically, the most likely vectors for using this method are:
- Sell a high-quality NFT collection and include a cool-looking animation that most users won’t notice is logging their data.
- Send a user a link to an IP logging NFT and collect their data after they view it on OpenSea.
- Send IP logging NFTs to a specific target and log all views — some IPs will belong to people who are viewing the target’s collection but some will belong to the target. You can correlate on-chain and off-chain user actions with IP logs to obtain additional information.
Once user data has been collected, it is impossible to claw back. Additionally, data collected for legitimate purposes could be stolen or leaked and then used maliciously.
I tested the NFT on OpenSea, Rarible, LooksRare and MetaMask. Only OpenSea loaded the animation_url and logged the IP address.
Mitigation
IP logging NFTs can partially be mitigated by using a VPN (unless your threat model includes an adversary with access to netflow data). It can also be mitigated by blocking scripts (but this will prevent the NFT from rendering).
Conclusions
The percentage of NFT collections that are obtaining IP address using this method is low (I estimate it’s <1% of actively traded collections). HonestNFT contributors are currently working on tools to automatically detect NFTs that collect user data as part of our bounty program. What I described in this post is just the tip of the iceberg.
The NFT community needs to decide what data sharing and leakage it considers acceptable, inform consumers, and pressure community members to adopt reasonable standards. Getting rid of the centralized dependencies described here would break some existing NFTs but would also help differentiate the NFT space from “web 2.0”.
If you have ideas for obtaining and/or analyzing data (or you just want to discuss the implications) join our Discord and nerd out with us. We’ll even pay you to buidl and open source your ideas!