MetaMask knows there is a serious vulnerability, but after a month it still hasn’t patched it

According to Alexandru Lupascu, MetaMask users who access the application via a mobile device run the risk of having their IP address exposed.


MetaMask mobile application does not guarantee user privacy

A cryptographer has warned MetaMask users that privacy risks could exist.

Alexandru Lupascu, co-founder of the data protection node service OMNIA Protocol, has found a critical vulnerability in ConsenSys’s popular Web3 wallet. This vulnerability allows the hacker to access the user’s IP address, creating a privacy risk. An IP address is a globally unique identifier assigned to a device that connects to the internet. When users store cryptocurrencies in the MetaMask wallet, vulnerabilities in IP addresses are a big problem.

Lupascu was upload A blog post explains that the vulnerability can be exploited by minting a collection of NFTs and airdropping them to a MetaMask-connected Ethereum address used on a mobile phone.

NFTs are digital assets that represent ownership of content such as art, music, and digital memes. They provide a way to tokenize content, but typically don’t store the actual content. Because storing image data on a blockchain like Ethereum can be expensive, NFTs contain Uniform Resource Locators (URLs) pointing to the data. Content for NFTs is typically hosted on a decentralized storage network such as IPFS or on remote centralized cloud servers.

By default, the MetaMask mobile app displays NFTs stored in an address using the URL to image data function command. This data is stored on remote servers. The process is done without the user’s consent to show what NFTs are in their Ethereum wallet.

During this retrieval, all server ports that handle the image data transmission receive the user’s IP information. In general, projects that operate servers for image data ensure the security of the data.

During his investigation, Lupascu identified malicious entities that could find MetaMask users’ IP data and exploit the information to launch targeted attacks. In his blog post, Lupascu explains:

“If a malicious person knows your blockchain address, they can generate an NFT with a URL pointing to their own server and transfer ownership of the NFT to your address. Therefore, when your crypto wallet retrieves the remote image from the server, it invades your privacy.”

Lupascu tested the vulnerability by creating an NFT on OpenSea based on the ERC-1155 standard. He then used a smart contract editor to change the original URL associated with the NFT to point to a new server under his control. Lupascu sent the NFT to an Ethereum address. When he accessed the address via the MetaMask mobile app, his IP address appeared on a server he controlled. Lupascu said it cost about $50 to carry out the attack.

Lupascu reported this issue to the MetaMask team in mid-December 2021, which means Web3 wallets have been aware of it for at least a month. The MetaMask team promises to release a patch by Q2 2022 – a timeframe that Lupascu says is “unacceptable” given the severity of the problem.

MetaMask founder Daniel Finlay admitted in an answer above tweets Lupascu said that “the problem has been known for a long time”.

“Alex is right to complain to us for not solving the problem sooner. Now start patching. Thank you for the criticism and we need it.”

Finlay too offer Wallet can “only load IPFS type mappings by default”. In addition, MetaMask users must explicitly consent to the retrieval of NFT data hosted on third-party servers.

Meanwhile, Lupascu believes that Ethereum users should be careful when receiving NFT airdrops and only access them through OpenSea.

“Until this issue is resolved in the mobile app, use the OpenSea platform with any Web3 compatible wallet to access your collection. A reminder to everyone that off-chain privacy is really important – don’t ignore it.”

Over the past few months, NFT collectors have lost millions of dollars in digital assets to attacks, hacks, and fraud. Many of the affected users have been storing valuable Bored Ape Yacht Club NFTs and other popular collectibles in MetaMask wallets and have been targeted and scammed. Because MetaMask is a hot wallet, it’s relatively easy for thieves to withdraw funds once they have the user’s private key. Because hot wallet private keys can be compromised through phishing and malware attacks, they are considered less secure than cold storage options like hardware wallets, which require access to the physical device to access the funds.

MetaMask is the most popular Web3 wallet for accessing Ethereum and other EVM-compatible blockchain networks. According to the data, as of November 2021, the wallet has more than 21 million monthly active users Notice Press by ConsenSys.

Join CoinCu Telegram to keep track of news:

Follow CoinCu Youtube Channel | Follow CoinCu Facebook page

970x90.gif (970×90)