Amid all the scams and technical glitch issues; OpenSea is again in users bad books as viewing some NFTs are sending IP addresses to NFT creators. If you think they can’t do this, unfortunately, they can. Since OpenSea allows NFT creators to add metadata to the NFT listing, which even accepts the format in the HTML language.
What can happen if NFTs track your IP?
Basically, the issue is that OpenSea lets NFT sellers add an “animation_url” to the NFT’s metadata. Nick Bax, head of research at Convex Labs, said, “We’ve been researching a lot of problems in the NFT space (with more of a focus on fraud) and one of the things we were playing around with was different XSS attacks on websites that display NFTs which is when I realized we could get OpenSea to load HTML pages,”
His team of engineers are working on multiple NFTs that harvest customer IPs such as The Simpsons and South Park crossover image NFT. “I just right-click + saved your IP address,” the description for the NFT on OpenSea reads. Moreover, an IP logger is also present in the HTML which records every IP address along with total visitors who logged in.
One would question that websites collect IP addresses all the time; even OpenSea itself harvests users’ IP. But here, an unknown outside party – an NFT seller – can gather information without us knowing. Of course, they may or may not be attackers. But if they are, attackers can use our IP addresses for mischievous things.
Firstly, attackers can work out the viewer’s course location. Secondly, they can use this information to dig up more details such as real names or physical addresses. Some attackers can even hack financial details.
Although, till now, no one has raised any issue of any sort of attack or harm.