MetaMask Knows It Has a Critical Privacy Vulnerability, But Hasn’t Fixed It

Key Takeaways

  • Cryptographer Alexandru Lupascu discovered a critical vulnerability in the most popular Web3 wallet MetaMask.
  • Lupascu found that malicious entities can find MetaMask mobile users’ IP data by airdropping them NFTs.
  • MetaMask founder Daniel Finlay admitted in a Twitter post the “issue has been widely known for a long time.” It’s yet to fix the problem.

Alexandru Lupascu says that MetaMask users who access the app on mobile devices are at risk of exposing their IP address.

MetaMask Mobile App Can Expose Users’ Privacy

MetaMask users may be putting their privacy at risk, a cryptographer has warned.

Alexandru Lupascu, who co-founded the privacy node service OMNIA Protocol, says that he has found a critical vulnerability in the ConsenSys’ popular Web3 wallet that gives hackers a way to access users’ IP addresses, thus creating a privacy risk. An IP address is a unique global identifier assigned to a device connected to the web. As users can store their crypto assets on MetaMask wallets, an IP address vulnerability is a major concern.

Lupascu published a blog post explaining how the vulnerability can be exploited by minting and airdropping an NFT collectible to a MetaMask-connected Ethereum address used on a mobile phone.

NFTs are digital assets that denote the ownership of content such as digital art, music, and memes. They offer a way to tokenize content but typically do not store the actual content. Since storing image data on a blockchain like Ethereum can be expensive, NFTs contain Uniform Resource Locators that point to the data. The content for NFTs is often stored either on a decentralized storage network like IPFS or on remote centralized cloud servers.

By default, the MetaMask mobile app displays NFTs stored in an address using a URL function call to the image data. This data is hosted on remote servers. The process is done without asking for the user’s consent in order to display what NFTs are contained in their Ethereum wallet.

During this fetching process, all server gateways handling the transmission of image data receive the user’s IP information. Generally, the projects operating the servers for the image data keeps the data secure.

In his investigation, Lupascu determined that malicious entities can find MetaMask users’ IP data and exploit the information to execute targeted attacks. In his blog post, Lupascu explained:

“If a malicious actor only knows your blockchain address, he can mint an NFT with a URL pointing to his server and transfer the NFT’s ownership to your address. Thus, when your crypto wallet fetches the remote image from the server, it will compromise your privacy.”

Lupascu tested the vulnerability by minting an NFT on OpenSea based on the ERC-1155 standard. He then used a smart contract editor to change the original URL linked with the NFT to point to a new server under his control. Then, Lupascu sent the NFT to an Ethereum address. When he accessed the address through the MetaMask mobile app, his IP address appeared in the server he controlled. He said it cost about $50 to execute the attack.

Lupascu told Crypto Briefing that he notified the MetaMask team about the issue in mid-December 2021, meaning the Web3 wallet has been aware of the issue for at least a month. The MetaMask team promised to release a patch by the second quarter of 2022–a timeframe Lupascu considers “unacceptable” given the severity of the matter.

Addressing the vulnerability, MetaMask founder Daniel Finlay admitted in a tweet response to Lupascu that the “issue has been widely known for a long time.” He added:

“Alex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it.”

Finlay has also proposed that the wallet could “only load IPFS-type links by default.” Furthermore, MetaMask users will have to give explicit consent to fetch NFT data stored on third-party servers.

Meanwhile, Lupascu says that he thinks Ethereum users should be vigilant if they receive airdropped NFTs, and that it’s advisable to only access them through OpenSea. “Until this issue gets fixed on the mobile application, use the OpenSea platform with any Web3 compatible wallet to explore your collectibles. A kind reminder to everyone that off-chain privacy is really important—do not neglect it,” he said.

In recent months, NFT collectors have lost millions of dollars worth of digital assets through attacks, hacks, and scams. Many of the affected users stored valuable NFTs from Bored Ape Yacht Club and other sought-after collections on MetaMask wallets and suffered from phishing attacks. As MetaMask is a hot wallet, thieves can drain funds with relative ease once they have a user’s private key. As the private keys for a hot wallet can be compromised through phishing and malware attacks, they are widely considered less secure than cold storage options such as hardware wallets, which require access to a physical device to access the funds.

MetaMask is the most popular Web3 wallet for accessing Ethereum and other EVM-compatible blockchain networks. It had more than 21 million monthly active users as of November 2021, according to a ConsenSys press release.

Disclosure: At the time of writing, the author of this piece owned ETH and other cryptocurrencies.

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

Hacker Admits to Stealing 88 ETH in NFT Scam, Then Returns It

News

A hacker has returned over $340,000 in ETH to the Creature Toadz NFT project after posting a fake mint link in Discord. Despite the return of the funds, some members…

$1.8M Lost to Fake MetaMask Token Honeypot Scam

A fake MetaMask token has conned traders out of over $1.8 million. Hackers injected code into the DEXTools application’s front end, convincing traders that the token was verified. The MetaMask…

Bored Ape NFT Collector Loses $2.2M in Phishing Scam

News

An NFT collector has lost millions of dollars’ worth of NFTs in an apparent phishing attack. NFT Collector Targeted With a Phishing Attack A New York-based art curator and NFT…

Is Time on our Side? The Case for Bitcoin’s Lengthening Cycles

One of the many unique features of BTC is its halving process, which is often accompanied by a bullish movement and preceded by bearish consolidation. Bitcoin’s halving events have been…

Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
Ще има ли достатъчно метали, които да подкрепят прехода към електрическа мобилност? thumbnail

Ще има ли достатъчно метали, които да подкрепят прехода към електрическа мобилност?

Снимка: Bloomberg L.P. Нарастващото търсене на електрически превозни средства, съчетано с проблемите в глобалната верига на доставки на батерии, доведоха до производствени проблеми за автомобилните концерни през миналата година. Но смущенията, наблюдавани през 2021 г., едва ли ще се превърнат в новото нормално по три причини, пише за Euractriv Юлия Полисканова, директор „Превозни средства и…
Read More
Binance NFT x LFW Mystery Box II thumbnail

Binance NFT x LFW Mystery Box II

Legend of Fantasy War is a unique 3D turn-based role-playing online blockchain game. By blockchainizing in-game items, the game provides players ownership of in-game items by owning so-called Non-Fungible Token (NFT). With an engaging storyline, players can both entertain themselves and collect valuable items, even increase the value of items while playing games solo or…
Read More
Binance’s CZ Explains Why Banning Crypto Ads Won’t Affect Demand thumbnail

Binance’s CZ Explains Why Banning Crypto Ads Won’t Affect Demand

Several regulators around the globe have taken a hostile approach around crypto exchanges and crypto-related companies by forbidding them to advertise the industry to the general public. However, Binance’s CEO Changpeng Zhao thinks this will not affect the high demand of the market. Curbing Crypto Ads Crypto-related firms have been accused by international regulators of…
Read More
‎Ejar reports over 3 mln tenancy contracts since launch thumbnail

‎Ejar reports over 3 mln tenancy contracts since launch

Logo of Ejar The Rental Services E-Network “Ejar” announced that more than three million residential and commercial tenancy contracts have been documented since its launch, Saudi Press Agency (SPA) reported. This was driven by the program’s sustainable endeavors to provide advanced and user-friendly services, in addition to protecting the rights of all parties in the rental…
Read More
What DASH’s short-term recovery might mean for cryptos like Zcash thumbnail

What DASH’s short-term recovery might mean for cryptos like Zcash

Bitcoin’s price movement around the $41,000-mark and the larger market’s consolidation seems to have given way for altcoins to steal the show. At press time, after a rather slow weekly start, some coins picked up the pace. DASH, the #77 ranked token, noted 24-hour gains of 8.38%. It was followed by AAVE, with just over…
Read More
Index Of News
Total
0
Share