Non-fungible token, or NFT, is a way to store data inside a digital ledger, called a blockchain.
Through this method, any digital item can be represented as a unique item, making them interchangeable. And because it uses blockchain to store the data, NFTs can be tracked by the public, with proof of ownership.
This fact makes NFT a method to commodify digital assets.
While buying and selling NFTs is nothing new at this time, it was made very popular following Grimes, partner of Elon Musk, who managed to sell some of her digital artworks for millions of dollars.
Followed by others, including the first-ever tweet that went for sale by Twitter's CEO and founder Jack Dorsey, a hacker tried to sell a cybersecurity exploit using NFT.
It all started from a tweet, where Matthew Hickey from Hacker House, a cybersecurity assurance services and hacker training, introduced the “zero-day collection,” an “exclusive HackerFantastic authored [zero-day] exploit as part of our NFT proof-of-concept sale series.”
Introducing, the 0day collection, you can now own an exclusive HackerFantastic authored 0day exploit as part of our NFT proof-of-concept sale series. The first digital asset for sale in our collection is for Quake3. Highly collectible hacker artwork ;-) https://t.co/BIZmrfXNKn pic.twitter.com/NTBSO8OZ7U
— Hacker Fantastic (@hackerfantastic) March 8, 2021
In what was considered to be the first cybersecurity exploit on the NFT, Hickey termed it a “highly collectable hacker artwork.”
The item was for sale in an auction on the OpenSea NFT marketplace, where Hickey advertised the token as a “post-authentication memory corruption vulnerability in ioquake3 engine."
"The issue can be exploited to cause a denial-of-service condition, code execution has been deemed unlikely. This issue has been tested on OpenArena, but should be present in all 28 games using the idTech3 (ioquake3) engine.”
“A proof-of-concept exploit is redeemed with this NFT, which contains an overview of the vulnerability and can be used to reliably trigger the issue on networked game servers. This is a single-sale item sold exclusively one time, no additional information will be provided publicly or resold by the discoverer of the issue,” the listing said.
OpenSea that hosted the auction, took the listing down, shortly after it was posted.
In response, Hickey called the move “digital censorship of a content creator.”
NFTs are digital assets that represent a wide range of unique tangible and intangible items.
Unlike Bitcoin and other cryptocurrencies that are interchangeable, each NFT contains distinguishing information that makes it distinct.
And in this case, the cybersecurity exploit that was on auction, quickly raised some concerns.
The sale simply raised questions about the ethics and identity, when an exploit is "owned" by someone.
Hickey’s NFT is relatively low stakes. But people wonder whether this could also lead to future legal issues, because buying and selling exploits through NFT can serve as a valuable commodity for hackers who want to make their job seemingly legal.
“When I learned about NFT’s and their uses for the transferring of digital assets such as collectibles, I immediately thought of digital markets such as the sale and distribution of exploits,” said Hickey.
“I believe it is something that may be adopted for the sale of not just exploits, but other computer code that digital content creators may wish to share in a collectible or limited edition fashion.”
“I decided to use this vulnerability to test the feasibility of NFTs to sell such exploit code as opposed to traditional sales to vulnerability acquisition programs. Everyone loves a good first-person shooter and this seemed like a good vulnerability to test a proof-of-concept sale system."