So if you've ever watched an airline investigation documentary you know that airplane crashes rarely have a single fault. In most cases, there are multiple faults/problems that line up, and then something that isn't supposed to happen, like a fuel pipe rupturing due to bad maintenance and the captain pumping more gas into the tanks that are actively losing fuel and the plane runs out of fuel (https://en.wikipedia.org/wiki/Air_Transat_Flight_236
) or even more simply because math is hard (https://en.wikipedia.org/wiki/Gimli_Glider
Looking at the opensea.io
NFT phishing hack from the weekend and we have:
17 people confirmed exploited, lost NFT's worth over a million dollars.
1) The attacker sent out a phishing email, good news is opensea.io
has SPF/DKIM/DMARC properly setup. So the attacker used a similar looking domain name (I'm assuming, I haven't confirmed this yet). One possible thing opensea.io
could have done here was also use BIMI (https://bimigroup.org/
) which I have setup for the cloudsecurityalliance.org
(it costs 1-2000$, plus you have to have your DMARC in a mature quarantine, 100%, etc policy). I would say this is less of a vulnerability and more of a risk/hardening step that high value email domains should take. E.g. a lack of any SPF/DKIM would be a vulnerability in my opinion because it makes email spoofing for to easy.
2) The attacker setup a fake website that people fell for. Not sure what can be done here. I feel like wallet software should maybe be smarter, so e.g. email->web browser->wallet the wallet checks the URL when being presented a transaction to sign and make sure it matches what it should be (e.g. opensea.io
and not opensea-attacker-legit-yo.com
). Again this is more of a hardening step, but inline with other software password managers already doing it.
3) The attacker leveraged a 4 year old abandoned contract written by opensea.io
. Had opensea.io
terminated this contract the vulnerability wouldn't have been exploitable. This is definitely 3a) a vulnerability in the old contract and 3b) a vulnerability in having 4 year old abandoned software floating around.
4) The user wallets don't show what is going on clearly enough, e.g. "YOU'RE SIGNING A 4 YEAR OLD CONTRACT THAT HAS BEEN REPLACED!" and/or "YOU'RE SIGNING A CONTRACT THAT HAS A DANGEROUS CLAUSE" one though here is opensea.io
can publish a list of contracts that are current and valid and anything else (older) is suspect and shouldn't be interacted with unless extreme caution is take).
So I'm thinking basically:
GSD-1 for the incident (parent)
GSD-2 4 year old abandoned contract for the vulnerability (child of GSD-1)
GSD-3 wallet software UI is unsafe and doesn't make it clear what is going on, maybe CWE-451 or CWE-357? this one is squishy and not super actionable, but maybe is a good warning? (child of GSD-1)
GSD-4 lack of BIMI hardening (child) rational: high value email domains should probably do BIMI now (child of GSD-1)
I don't think the fake website warrants a GSD. Or if it does it's more of a wallet issue.