1. Home
  2. IP Addresses

IP Addresses

Pavel Durov Reveals Telegram Has Been Disclosing Data to Authorities

Pavel Durov Reveals Telegram Has Been Disclosing Data to AuthoritiesTelegram founder Pavel Durov has clarified the platform’s privacy policies, emphasizing that no significant adjustments have been made regarding how Telegram handles user data. He revealed that since 2018, Telegram has disclosed IP addresses and phone numbers of criminals when legally required. Durov stressed that this is a longstanding policy, ensuring compliance without compromising the […]

Gen Z trader rugs meme coin during livestream, community’s revenge sends token to $80M

Telegram’s Privacy Overhaul: IPs and Phone Numbers of Lawbreakers to Be Shared

Telegram’s Privacy Overhaul: IPs and Phone Numbers of Lawbreakers to Be SharedAfter the arrest and subsequent release of Telegram CEO Pavel Durov in France, his Telegram channel shared that the messaging platform has updated its terms of service and privacy policy. According to these changes, the platform may disclose the IP addresses and phone numbers of users who violate laws or Telegram’s rules “to relevant authorities.” […]

Gen Z trader rugs meme coin during livestream, community’s revenge sends token to $80M

Major Cryptocurrency ATM Manufacturer General Bytes Hacked, Over $1.5M in Bitcoin Stolen

Major Cryptocurrency ATM Manufacturer General Bytes Hacked, Over .5M in Bitcoin StolenGeneral Bytes experienced a security incident on March 17 and 18 that enabled a hacker to remotely access the master service interface and send funds from hot wallets, according to the company and sources. The breach forced a majority of U.S.-based crypto automated teller machine (ATM) operators to temporarily shut down. The hacker was able […]

Gen Z trader rugs meme coin during livestream, community’s revenge sends token to $80M

This proof of concept NFT can swipe unsuspecting users’ IP addresses

Turns out that some NFTs might be building collections of their own. Their target? Your private data.

Both OpenSea and Metamask have logged cases of IP address leaks associated with transferring nonfungible tokens (NFTs), according to researchers at Convex Labs and OMNIA protocol.

Nick Bax, head of research at NFT organization Convex Labs tested out how NFT marketplaces like OpenSea allow vendors or attackers to harvest IP addresses. He created a listing for a Simpsons and South Park crossover image, entitling it “I just right click + saved your IP address” to prove that when the NFT listing is viewed, it loads custom code that logs the viewer's IP address and shares it with the vendor.

In a Twitter thread, Bax admitted that he "does not consider my OpenSea IP logging NFT to be a vulnerability" because that is simply "the way it works." It's important to remember that NFTs are, at their core, a piece of software code or digital data that can be pushed or pulled. It is quite common for the actual image or asset to be stored on a remote server, while only the asset's URL is on-chain. When an NFT is transferred to a blockchain address, the receiving crypto wallet fetches the remote image from the URL associated with the NFT.

Bax further explained the technical details in a Convex Labs Medium post that OpenSea allows NFT creators to add additional metadata that enables file extensions for HTML pages. If the metadata is stored as a json file on a decentralized storage network, such as IPFS or on remote centralized cloud servers, then OpenSea can download the image as well as an “invisible image” pixel logger and host it on its own server. Thus, when a potential buyer views the NFT on OpenSea, it loads the HTML page and fetches the invisible pixel that reveals a user’s IP address and other data like geolocation, browser version and operating system.

Analyst Alex Lupascu, co-founder of the privacy node service OMNIA Protocol, conducted his own research with the Metamask mobile app with similar effects. He discovered a liability that allows a vendor to send an NFT to a Metamask wallet and obtain a user's IP address.  He minted his own NFT on OpenSea and transferred the ownership of the NFT via airdrop to his Metamask wallet, and concluded finding a "critical privacy vulnerability." 

Related: MetaMask’s new inbuilt multichain institutional custody feature

In a Medium post, Lupascu described the potential consequences of how a "malicious actor can mint an NFT with the remote image hosted on his server, then airdrop this collectible to a blockchain address (victim) and obtain his IP address." His concern is that if an attacker gathers a collection of NFTs, points all of them to a single URL and airdrops them to millions of wallets, then it could result in a large scale distributed denial-of-service, or DDoS attack. Having personal data leaked can also lead to kidpnapping, according to Lupascu. 

He also suggested a potential solution could be requiring explicit user consent when it comes to fetching the remote image of the NFT: Metamask or any other wallet would prompt the user that someone on OpenSea or another exchange is fetching the remote image of the NFT, and informing the user that his or her IP address may be exposed.

Dan Finlay, CEO of Metamask, responded to Lupascu on Twitter stating that even though "the issue has been known for a long time," they are now starting work to fix it and improve user safety and privacy.

That same day, even Vitalik Buterin recognized the challenges of off-chain privacy within Web3. On a recent UpOnly podcast episode, Buterin said that "the fight for more privacy is an important one. People are underestimating the risks of no privacy," adding that the "more crypto-y everything becomes," the more exposed we are.

Gen Z trader rugs meme coin during livestream, community’s revenge sends token to $80M