While a Chrome browser extension MetaMask is popular with many users, it is important to be aware of the ways through which malicious parties can compromise the security of this Ethereum wallet with more than 1 million users.
MetaMask allows its users to interact with the Ethereum network. This Ethereum client enables users to sign smart contracts, view the entirety of the Ethereum blockchain, as well as buy, sell and store the network’s cryptographic token ether as well as ERC20 tokens. For developers, it is popular because they are able to connect their Ethereum-based decentralized apps (DApps) easily to the Ethereum network through the extension.
Vulnerabilities of an Open MetaMask Wallet
While MetaMask is locked by default, you may choose to unlock it for a transaction. While this action may be unavailable at certain times, it does lend your wallet to the risk of compromised security.
When your MetaMask is unlocked, it is possible for the address you are currently using to be viewed by all the other tabs you have open in your web browser. While this may not seem to be a cause for concern at first glance, it provides malicious parties with the information they can use to mislead you and eventually steal your funds.
This is because the Ethereum blockchain is public. Using blockchain explorers like Etherscan or ETHplorer, it is possible for a person to find out the details of transactions you are undertaking, using only your wallet address. The blockchain explorers show the time, amount and origin or recipient of either outgoing or incoming transaction. Armed with this information, an attacker can set to a number of phishing activities.
Firstly, the attacker can use the information of your last outgoing transaction to create a fake pop up that is designed to inform you that your transaction did not go through. Because transactions sometimes fail, this is a plausible event. Moreover, because the attacker has all the relevant information pertaining to your last transaction, the pop up will have the right data on it, leading you to believe it is a genuine alert.
The popup will then direct you to redo the transaction, however, the receiving address will have changed to one owned by the attacker.
Secondly, because the attacker has access to your last incoming transaction, he can also use this information against you. The phisher can create a popup informing you that in order to receive the funds, you need to indicate acceptance by signing for it.
The signature required is likely to be your password. Once the attacker has this information, the security of your wallet is severely compromised.
Thirdly, an attacker can create a page that is identical and indistinguishable to the MetaMask failed transaction alert. This is perhaps the most worrisome method that an attacker can employ. The attacker can make the page fully interactive and use the information obtained from exploring your wallet address to fill the page. Similar to the first method, the attacker will falsely claim your that transaction failed. Through this, you will be persuaded to resend the funds to the attacker’s wallet.
How a Locked MetaMask Wallet Can be Compromised
When your MetaMask wallet is locked, it is not possible for websites to view your wallet address. However, they can tell that you are using the wallet and likely hold ether and other compatible cryptocurrencies. That is because the explorer’s code exposes this information upon little scrutiny.
When the extension is in use, the tabs in the active window recognize a metamask user. Using this knowledge, an attacker can try to convince the user to unlock their account. For instance, the attacker can create a fake pop up detailing certain events that can entice you to open your account such as an incoming transaction. Once your metamask is unlocked, your active address can be compromised as explained above.
Moreover, if your MetaMask is locked for a while but you decide to unlock it for whatever reason, all the tabs open on the window are privy to this information. Due to the fact that one would only be opening the account to process a transaction, an attacker can infer that you are currently sending funds.
The attacker can present you with a fake pop up that you will assume comes from the tab you initiated the transaction from. This is because the popup is likely to come just seconds after you unlock your MetaMask.
Lastly, while a locked account is secure, an attacker can seek to bypass this security by creating a popup page requiring some of your personal login information. The phony page may require your password, private keys or seed phrase.
While a password is a good find for the attacker, the situation is worse if they are to acquire your seed phrase or your private keys, especially if they are unencrypted. If they have this information, then they can take full control of your MetaMask wallet. This would give them access to all the wallet addresses contained in the wallet and in turn loss of funds and control for you.
What Can You Do?
The best way to protect yourself against MetaMark phishing attacks is to set the extension to disabled status by default on your browser. This way you can enable it only when you need to. Also, remember to close all tabs and open only one for the duration of your transaction.
It is important to mention that MetaMask is working on patches to fix these shortcomings to ensure that users can utilize the popular Ethereum client without security concerns.
