Wormable Cross-Site Scripting Vulnerability affecting Rarible’s NFT Marketplace ($5000 USD)

We discussed this vulnerability during Episode 141 on 02 May 2022

By hiding a cross-site-scripting attack in the profile update functionality, specifically the profile image. Judging from the payload it looks like a straight-forward unescaped input that gets reflected on profile pages, though they did need to contend with Cloudflare’s WAF. As this was on a profile update feature, anyone viewing your profile would then in-turn execute the XSS payload which could upload the payload as their profile picture, worming through the Rarible NFT Marketplace.

In terms of an actual attack beyond the worming an interesting point is raised regarding the web3 browser extensions being accessible from anywhere without cookies. So any XSS payload even running in an empty context could still cause block chain related prompts, like prompting you to sign a transaction. Granted, having a “sign this transaction” prompt on a random page probably would be pretty suspicious but I thought it was an interesting surface to expose.