Market

MetaMask knows there is a serious vulnerability, but after a month it still hasn’t patched it

According to Alexandru Lupascu, MetaMask users who access the application via a mobile device run the risk of having their IP address exposed.

MetaMask mobile application does not guarantee user privacy

A cryptographer has warned MetaMask users that privacy risks could exist.

Alexandru Lupascu, co-founder of the data protection node service OMNIA Protocol, has found a critical vulnerability in ConsenSys’s popular Web3 wallet. This vulnerability allows the hacker to access the user’s IP address, creating a privacy risk. An IP address is a globally unique identifier assigned to a device that connects to the internet. When users store cryptocurrencies in the MetaMask wallet, vulnerabilities in IP addresses are a big problem.

Lupascu was upload A blog post explains that the vulnerability can be exploited by minting a collection of NFTs and airdropping them to a MetaMask-connected Ethereum address used on a mobile phone.

NFTs are digital assets that represent ownership of content such as art, music, and digital memes. They provide a way to tokenize content, but typically don’t store the actual content. Because storing image data on a blockchain like Ethereum can be expensive, NFTs contain Uniform Resource Locators (URLs) pointing to the data. Content for NFTs is typically hosted on a decentralized storage network such as IPFS or on remote centralized cloud servers.

By default, the MetaMask mobile app displays NFTs stored in an address using the URL to image data function command. This data is stored on remote servers. The process is done without the user’s consent to show what NFTs are in their Ethereum wallet.

During this retrieval, all server ports that handle the image data transmission receive the user’s IP information. In general, projects that operate servers for image data ensure the security of the data.

During his investigation, Lupascu identified malicious entities that could find MetaMask users’ IP data and exploit the information to launch targeted attacks. In his blog post, Lupascu explains:

“If a malicious person knows your blockchain address, they can generate an NFT with a URL pointing to their own server and transfer ownership of the NFT to your address. Therefore, when your crypto wallet retrieves the remote image from the server, it invades your privacy.”

Lupascu tested the vulnerability by creating an NFT on OpenSea based on the ERC-1155 standard. He then used a smart contract editor to change the original URL associated with the NFT to point to a new server under his control. Lupascu sent the NFT to an Ethereum address. When he accessed the address via the MetaMask mobile app, his IP address appeared on a server he controlled. Lupascu said it cost about $50 to carry out the attack.

Lupascu reported this issue to the MetaMask team in mid-December 2021, which means Web3 wallets have been aware of it for at least a month. The MetaMask team promises to release a patch by Q2 2022 – a timeframe that Lupascu says is “unacceptable” given the severity of the problem.

MetaMask founder Daniel Finlay admitted in an answer above tweets Lupascu said that “the problem has been known for a long time”.

“Alex is right to complain to us for not solving the problem sooner. Now start patching. Thank you for the criticism and we need it.”

Finlay too offer Wallet can “only load IPFS type mappings by default”. In addition, MetaMask users must explicitly consent to the retrieval of NFT data hosted on third-party servers.

Meanwhile, Lupascu believes that Ethereum users should be careful when receiving NFT airdrops and only access them through OpenSea.

“Until this issue is resolved in the mobile app, use the OpenSea platform with any Web3 compatible wallet to access your collection. A reminder to everyone that off-chain privacy is really important – don’t ignore it.”

Over the past few months, NFT collectors have lost millions of dollars in digital assets to attacks, hacks, and fraud. Many of the affected users have been storing valuable Bored Ape Yacht Club NFTs and other popular collectibles in MetaMask wallets and have been targeted and scammed. Because MetaMask is a hot wallet, it’s relatively easy for thieves to withdraw funds once they have the user’s private key. Because hot wallet private keys can be compromised through phishing and malware attacks, they are considered less secure than cold storage options like hardware wallets, which require access to the physical device to access the funds.

MetaMask is the most popular Web3 wallet for accessing Ethereum and other EVM-compatible blockchain networks. According to the data, as of November 2021, the wallet has more than 21 million monthly active users Notice Press by ConsenSys.

Join CoinCu Telegram to keep track of news: https://t.me/coincunews

Follow CoinCu Youtube Channel | Follow CoinCu Facebook page

Annie

Championing positive change through finance, I've dedicated over eight years to sustainability and environmental journalism. My passion lies in uncovering companies that make a real difference in the world and guiding investors towards them. My expertise lies in navigating the world of sustainable investing, analyzing ESG (Environmental, Social, and Governance) criteria, and exploring the exciting field of impact investing. "Invest in a better future," I often say. That's the driving force behind my work at Coincu – to empower readers with knowledge and insights to make investment decisions that create a positive impact.

Recent Posts

Bonk’s ICO Was Just the Start: Why BTFD Coin’s Stage 7 Price Rollback Is Your Second Shot at Crypto Glory

BTFD Coin is offering a chance to relive the glory days of meme coin investing,…

27 minutes ago

Decoding BDAG’s AMA: A Blueprint for Scalable Blockchain and Enhanced Community Ties

Explore key takeaways from BlockDAG’s AMA, showcasing strides in scalability, growth of the ecosystem, and…

42 minutes ago

Best Cryptos with 1000X Potential: Qubetics Revolutionises Blockchain as Polkadot and Cosmos Shape the Future

Discover why Qubetics, Polkadot, and Cosmos are the best cryptos with 1000X potential, offering innovation,…

4 hours ago

Best Coins to Buy in December 2024: Qubetics Offer 630% ROI, Polkadot Delivers on Interoperability and Near Protocol’s Scalability is Talk of the Town

Explore the best coins to buy in December 2024—Qubetics with its thrilling presale, Polkadot’s interoperability,…

10 hours ago

Crypto Market Outlook 2025 Key Factors to Watch

The Crypto Market Outlook 2025 highlights key areas: stablecoin growth, tokenization, crypto ETFs, DeFi innovation,…

13 hours ago

Bitcoin Quantum Computing Threat Expected to Take Decades

The Bitcoin quantum computing threat is years away, but reserves already support post-quantum signatures via…

13 hours ago

This website uses cookies.