MetaMask: New vulnerability detected; Are your funds at risk?

Lavina Daryanani
Source: HongKiat

Blockchain cybersecurity firm Halborn recently brought to light a security vulnerability in older versions of the MetaMask wallet. The issue was that the secret recovery phrase could be discovered within a device’s storage under certain circumstances. Essentially, users of version 10.11.3 and below were the ones exposed to the vulnerability.

The team was, however, quick to act and implemented mitigations accordingly. Affirming the same on a Twitter thread, MetaMask tweeted,

“A vast majority of users are *not* at high risk of being compromised due to this, and we have since implemented mitigations for these issues, so these should not be problems for users who are on the MetaMask Extension versions 10.11.3 and later.”

Are your MetaMask funds at risk?

Only if all of the following three conditions apply to a user, their funds might be at risk because the secret recovery phrase might be accessible to someone with access to the computer you imported your phrase on. Thus, MetaMask advised the affected users to migrate funds to shield themselves.

The checklist:

  • Your hard drive was unencrypted
  • You imported your Secret Recovery Phrase into a MetaMask extension on a device that is in possession of someone you do not trust, or your computer is compromised
  • You used the “Show Secret Recovery Phrase” checkbox to view your Secret Recovery Phrase on-screen during that import process

Per testings, the said vulnerability has the potential to affect all desktop operating systems and browsers. MetaMask Mobile, however, remains to be unaffected by the same.

Notably, Halborn was awarded a bounty of $50,000 for the discovery.

Of late, there have been a couple of other vulnerabilities that the team had brought to light. On 3 June, for instance, MetaMask disclosed a serious “clickjacking” vulnerability that was discovered by the white hat group. The same was essentially a browser extension-only vulnerability that allowed attackers to deceive users into giving sensitive information or sending crypto-assets without them realizing it.

Phishing scams are not uncommon in the space, and on any given day, prevention is better than cure. Right from enabling full disk encryption, to clearing browser cache data and keeping devices secure, Metamask outlined a series of precautionary measures that could be adopted by users.