Security researchers at Palisade publicly disclosed a wormable cross-site scripting (XSS) vulnerability and WAF bypass they had discovered and responsibly disclosed to Rarible several days earlier.
The researchers were able to inject malicious code into the profile photo on Rarible, which only required a person to visit the malicious profile in order to run. This code could have then "infected" other signed-in users' profile photos, increasing the spread of the vulnerability to anyone who then visited their profiles. Once infected, the code would persist across all pages on Rarible, and could change arbitrary data on NFT listings, modify smart contract interactions, leak or modify profile information, or prompt users to sign arbitrary messages.
In an example, the researchers showed how a listing of a Bored Ape (pricey NFTs which currently have a floor price ~100 ETH / $290,000) could be modified for an impacted user to appear as though it was listed for only 1 ETH (~$2,900). A user who attempted to buy the apparently massively-discounted NFT could then be prompted to approve a sale transaction which would actually run a setApprovalForAll call that would allow the attackers to steal crypto and NFTs from the user's wallet.
This bug was the second Rarible vulnerability that was publicly disclosed this week, following a vulnerability with SVG NFTs disclosed by Check Point Research on April 14.
After the security researchers responsibly disclosed the vulnerability, which could have quickly wreaked havoc across Rarible's entire userbase, Rarible patched the issue and awarded them a bug bounty of $5,000. Good luck to Rarible if the next people who find a bug are even slightly more motivated by money than they are by ethics.