MetaMask, Phantom, and other browser wallets disclosed in a blog post published on Wednesday that they patched a critical security vulnerability. The vulnerability could have exposed sensitive user login credentials on devices that had been compromised.
However, the wallet providers stated that there is no evidence to believe that the vulnerability was ever exploited, and no user funds are known to have been impacted by it.
A Background On The Vulnerability
The bug was discovered following a tip-off to MetaMask and Phantom by blockchain security firm Halborn. Halborn discovered that the Secret Recovery Phrase used by web-based wallets (MetaMask, Phantom) could be extracted from a compromised machine under specific conditions. Halborn stated that the vulnerability did not impact MetaMask mobile users and only impacted a small section of MetaMask extension users, along with the users of other browser extensions and wallets.
So Who Is At Risk?
Both MetaMask and Phantom are not recommending that users take any drastic action. The only action recommended for users was updating their browsers to ensure that their wallets/extensions run their most recent and updated software versions. MetaMask, in its blog post, stated that users should only be concerned if they match the following criteria.
- Your machine’s hard drive was not encrypted.
- If you, as a user, imported your Secret Recovery Phrase into a MetaMask Device extension on another device that is currently not in your possession, or in possession of any individual who you do not trust, or if you think your computer is compromised.
- If you used the “Show Secret Recovery Phrase” checkbox and viewed your Secret Recovery Phrase on-screen during the import process.
MetaMask stated in its blog post,
“If your computer is not physically secure from people you do not trust, we recommend you enable full disk encryption on your system. Additionally, you are not affected by this if your funds are managed by a hardware wallet.”
Phantom’s blog post broadly stated the same things as the MetaMask blog post.
The post also stated that the vulnerability impacts
- All desktop operating systems and browser extensions.
- All versions of MetaMask older than v10.11.3 on all browser versions.
How The Vulnerability Came About
The vulnerability occurred thanks to a quirk in the Javascript programming language, which sometimes resulted in a user’s Secret Recovery Phrase being stored locally for a specific amount of time (for how long varies from device to device). If the phrase was entered on an unsecured or untrusted device, an attacker could potentially swipe it from the machine’s memory if they knew where to look, allowing them to gain control of a person’s funds.
MetaMask issued a patch to fix the bug in March 2022, while Phantom was informed of the bug in September 2021 and issued several patches to fix the issue between January and April.
Previous Issues With MetaMask
MetaMask has faced several issues in the past as well. Back in April, MetaMask warned its users about the potential of a phishing attack through their iCloud accounts. Users were vulnerable to the potential hack if they had the iCloud backup option enabled on the app. Just a month before that warning, the platform had come under fire from Crypto Twitter after a mixup led to the blocking of Venezuelan users from accessing services. This occurred as MetaMask and Infura attempted to comply with sanctions announced by the United States of America.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.