NFTs have been all the rage these days, but did you know the NFT in your wallet could be collecting information about you? This information could include your IP address, operating system, and geography.
All it takes is the creator placing an image URL in the NFT ‘s metadata that points to a machine they control that logs the request. Many web servers like Apache and NGINX can do this by default. The team at HOPR have created a series of Non-Private NFTs that show this vulnerability.
Note: this is in addition to the data a wallet like MetaMask leaks to RPC providers. You can learn more about this by checking out DERP (Dumb Ethereum RPC Provider) from the HOPR team.
You can see them generated live at their Non-Private NFT tool. They have a great post on explaining how it works and why it’s bad: Your NFT Might be Watching You. They also have a Non-Private NFT GitHub repo that shows how the collection could work.
Below, you can see a NFT I generated using the tool. I viewed the NFT three different ways: in my MetaMask wallet on Android, directly in Chrome, and on OpenSea.
In the first two examples, the NFT shows my actual information. However, the OpenSea example is a different since their servers cache and serve the image. In that case, it shows the information of the AWS server OpenSea used to request the image. In each case, you can see the information is different.
You can see these NFT images generated live using HOPR’s Non-Private NFT tool. There’s a great Medium post explaining how it works and why it’s bad: Your NFT Might be Watching You. There’s a corresponding Non-Private NFT GitHub repo that shows how the collection could work.
This is a pretty clear case to demonstrate the need for web3 metadata privacy. Luckily, there are web3 privacy projects in the works to address this. One of which is HOPR, an incentivized mixnet enabling privacy-preserving point-to-point data exchange. It can be compared to Tor but with incentives for noderunners. You can learn more about HOPR at https://hoprnet.org.