Netflix's 'Love, Death + Robots' NFT's Vulnerability Alert

Key Takeaways

Certik Team has noticed an issue with Love Death + Robots’s NFT minting process. The team has detected that an authentication layer on their Web-API for the signature is missing.

Love, Death + Robots is a collection of animated short stories that span several genres, including science-fiction, fantasy, horror, and comedy. World-class animation creators bring captivating stories to life in the form of a unique and visceral viewing experience. The animated anthology series includes tales exploring alternate histories, robots’ lives in a post-apocalyptic city, and a plot for world domination by super-intelligent yogurt. Among the show’s executive producers is Oscar-nominated director David Fincher.

Here is the contract address: https://etherscan.io/address/0xfd43d1da000558473822302e1d44d81da2e4cc0d

To mint the NFT, users are supposed to watch the show and scan QR codes that appear in the show to collect a signature they can use to mint an NFT. Here is the link to their official website: https://lovedeathandart.com/. However, the web API used to generate the signature lacks an authentication check.

So, users who don’t have a Netflix account can call the API, get the signature, and mint the NFT without watching the show. So, anyone who can call the API can get a signature to mint the NFT. Although, these are free NFTs. So, we will also advise our users to stay away from phishing sites.