MetaMask Knows It Has a Critical Privacy Vulnerability, But Hasn’t Fixed It

Alexandru Lupascu says that MetaMask users who access the app on mobile devices are at risk of exposing their IP address.

MetaMask Mobile App Can Expose Users’ Privacy

MetaMask users may be putting their privacy at risk, a cryptographer has warned.

Alexandru Lupascu, who co-founded the privacy node service OMNIA Protocol, says that he has found a critical vulnerability in the ConsenSys’ popular Web3 wallet that gives hackers a way to access users’ IP addresses, thus creating a privacy risk. An IP address is a unique global identifier assigned to a device connected to the web. As users can store their crypto assets on MetaMask wallets, an IP address vulnerability is a major concern.

Lupascu published a blog post explaining how the vulnerability can be exploited by minting and airdropping an NFT collectible to a MetaMask-connected Ethereum address used on a mobile phone.

NFTs are digital assets that denote the ownership of content such as digital art, music, and memes. They offer a way to tokenize content but typically do not store the actual content. Since storing image data on a blockchain like Ethereum can be expensive, NFTs contain Uniform Resource Locators that point to the data. The content for NFTs is often stored either on a decentralized storage network like IPFS or on remote centralized cloud servers.

By default, the MetaMask mobile app displays NFTs stored in an address using a URL function call to the image data. This data is hosted on remote servers. The process is done without asking for the user’s consent in order to display what NFTs are contained in their Ethereum wallet.

During this fetching process, all server gateways handling the transmission of image data receive the user’s IP information. Generally, the projects operating the servers for the image data keeps the data secure.

In his investigation, Lupascu determined that malicious entities can find MetaMask users’ IP data and exploit the information to execute targeted attacks. In his blog post, Lupascu explained:

“If a malicious actor only knows your blockchain address, he can mint an NFT with a URL pointing to his server and transfer the NFT’s ownership to your address. Thus, when your crypto wallet fetches the remote image from the server, it will compromise your privacy.”

Lupascu tested the vulnerability by minting an NFT on OpenSea based on the ERC-1155 standard. He then used a smart contract editor to change the original URL linked with the NFT to point to a new server under his control. Then, Lupascu sent the NFT to an Ethereum address. When he accessed the address through the MetaMask mobile app, his IP address appeared in the server he controlled. He said it cost about $50 to execute the attack.

Lupascu told Crypto Briefing that he notified the MetaMask team about the issue in mid-December 2021, meaning the Web3 wallet has been aware of the issue for at least a month. The MetaMask team promised to release a patch by the second quarter of 2022–a timeframe Lupascu considers “unacceptable” given the severity of the matter.

“Alex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it.”

Finlay has also proposed that the wallet could “only load IPFS-type links by default.” Furthermore, MetaMask users will have to give explicit consent to fetch NFT data stored on third-party servers.

Meanwhile, Lupascu says that he thinks Ethereum users should be vigilant if they receive airdropped NFTs, and that it’s advisable to only access them through OpenSea. “Until this issue gets fixed on the mobile application, use the OpenSea platform with any Web3 compatible wallet to explore your collectibles. A kind reminder to everyone that off-chain privacy is really important—do not neglect it,” he said.

In recent months, NFT collectors have lost millions of dollars worth of digital assets through attacks, hacks, and scams. Many of the affected users stored valuable NFTs from Bored Ape Yacht Club and other sought-after collections on MetaMask wallets and suffered from phishing attacks. As MetaMask is a hot wallet, thieves can drain funds with relative ease once they have a user’s private key. As the private keys for a hot wallet can be compromised through phishing and malware attacks, they are widely considered less secure than cold storage options such as hardware wallets, which require access to a physical device to access the funds.

MetaMask is the most popular Web3 wallet for accessing Ethereum and other EVM-compatible blockchain networks. It had more than 21 million monthly active users as of November 2021, according to a ConsenSys press release.

Disclosure: At the time of writing, the author of this piece owned ETH and other cryptocurrencies.