MetaMask

 How Safely Does the Ethereum in Your MetaMask Wallet Reside?

The MetaMask developers have had a demanding week.

The team behind MetaMask, by far the most popular software wallet for Ethereum and Ethereum-compatible networks, examined the wallet's codebase in response to the news that $4.5 million worth of funds had been siphoned off from thousands of software wallets on Solana. This was done to ensure that users would not be impacted by a similar hack.

Somewhere else, similar fire drills have been conducted. It's "strongly suggested" that users alter their security settings, according to the protocol's Twitter account, in response to claims that the Near Wallet may have a vulnerability similar to the compromised Solana wallets.

One way developers manage security is to scan for flaws once an exploit has been found. They should locate them as soon as possible to avoid exploitation. Although MetaMask has previously said that it is striving to restructure its staff to better respond to security vulnerabilities, it appears as though it is having trouble keeping up.

Unreturned phone calls

In a recent instance, Aurox CEO Giorgi Khazaradze stated that he attempted to alert the MetaMask team to a vulnerability in June but found them to be unresponsive.

He revealed to Decrypt that his group was examining MetaMask's open-source code, which is accessible on its GitHub repository, in order to create its own browser extension wallet.

Although advertised, the wallet has not yet gone live. When it does, MetaMask will be in competition with it. In other words, Khazaradze stands to gain from raising questions about what is by far the strongest rival for his new offering.

Because of the rate at which MetaMask is gaining new users, ConsenSys, the business that creates MetaMask (and, full disclosure, an investor in Decrypt), just concluded a $450 million Series D financing at a $7 billion value. More than 30 million monthly active users were using MetaMask as of March, a 42% increase over the 21 million users it had in November 2021.

According to Khazaradze, his team came to the conclusion that a concealed decentralized program, or dapp, could be added to a webpage using an HTML element called an inline frame, or iframe.

Theoretically, an attacker might then design a website that mimics a legitimate application while linking to a different one that the MetaMask user will never see. The customer can unknowingly be transferring their cryptocurrency to a thief's wallet instead of buying an NFT or exchanging some Ethereum coins to fund a new project.

The fact that MetaMask automatically asks users to connect to a dapp if it finds one on a webpage might be exploited by this sort of vulnerability. It is typical behavior for MetaMask's browser plugin. It's a feature that requires fewer clicks for a user to engage with apps outside of the context of vulnerabilities and attackers.

It's comparable to a clickjacking vulnerability for which MetaMask offered a $120,000 prize in June, albeit not quite the same. With it, an attacker conceals MetaMask on a website and deceives the user into disclosing personal information or sending money.

"That vulnerability is distinct. That occurred inside of MetaMask. In essence, you could iframe MetaMask and then clickjack individuals, according to Khazaradze. "In contrast, the one we discovered frames apps. The wallet connects to certain apps automatically, which might be used by an attacker to deceive you into doing particular transactions.

On June 27, Khazaradze said he made an attempt to get in touch with MetaMask about the vulnerability. He claims that after using the company's live chat support option, he was instructed to create a post on the app's GitHub. However, he didn't feel at ease doing it.

When he sent a direct email to MetaMask support, he claimed to have received the following unhelpful reply: "We are experiencing incredibly large levels of queries. Direct emails to support are no longer supported as we work to increase our response times to support requests.

Khazaradze claimed he gave up attempting to alert the team about the vulnerability at that moment and contacted Decrypt instead.

MetaMask reacts.

According to Herman Junge of the MetaMask security team, the app's support staff would not have intended an iframe vulnerability to be published on GitHub.

We at MetaMask treat iframe reports seriously and handle them appropriately through HackerOne's bug bounty program. We urge security researchers to visit HackerOne if they submit their report through another instance, he wrote in an email. We don't have any messages encouraging researchers to file an iframe report to GitHub, according to our logs.

Decrypt explained the flaw that the Aurox team claims to have discovered in an email exchange with MetaMask PR. Junge did not mention the alleged vulnerability in his email message or that MetaMask would be looking into the matter.

However, he acknowledged that disclosing a security flaw before the app's development team gets a chance to fix it may "put innocent individuals in needless danger." But as of now, there is no mention of HackerOne in the terminology used in its support messages, where MetaMask first introduced a bug bounty program in June.

The use of "spectacle"

For the same reason that it's polite not to yell that someone's fly is down, it is customary in the security world to discretely inform a corporation of a vulnerability. They have a chance to correct it before other people notice because of their discretion.

When vulnerabilities are reported discretely, the information is kept out of the hands of potential exploiters until developers have had a chance to put a remedy in place. However, vulnerabilities get public before a remedy is available when the reporting procedure is unclear or the receiver appears unresponsive, typically in an effort to pressure the team into action.

A privacy expert and investigative journalist named Janine Romer claimed she had observed several examples of people using secretive channels of communication before going to Twitter to expose flaws.

Similar issues arise with Bitcoin wallets, where the only method to draw attention to something is occasionally to simply tweet at people, which is horrible. That is not how things should be handled," she told Decrypt. Additionally, it must be feasible to report issues without creating a scene in front of everyone. But because no one is responding privately, it sort of encourages individuals to make a public show.

The co-founder of Omnia Protocol, Alex Lupascu, tweeted in January that his team had discovered a "major privacy vulnerability" in MetaMask and provided a link to a blog post outlining the attack vector.

Security researcher Harry Denley, who works with MetaMask, responded by inquiring whether the team had been informed or had stated that they were working on it. Lupascu said that although they had, the vulnerability was still vulnerable five months after he initially reported it.

Dan Finlay, a co-founder of MetaMask, eventually commented.

He stated on Twitter "Well, I think this issue has been generally recognized for a long time, thus I don't think a disclosure period applies." "Alex is correct to criticize us for delaying our response. I'm about to start working on it. We're sorry we needed the kick in the pants, but thanks anyhow.

Using software wallets securely

The aforementioned bug bounty scheme was introduced a few months later. Not every MetaMask vulnerability report is ignored, after all. The MetaMask Twitter account sent Halborn Security, a Web3 security company, a hat tip for disclosing a vulnerability that may affect MetaMask users in June.

Holborn's COO, David Schwed, expressed his satisfaction with the MetaMask team's responsiveness. They rectified the issue and applied a fix. However, he advised consumers to exercise caution while maintaining any sizeable amounts in a digital wallet.

"I won't necessarily criticize MetaMask. Right present, MetaMask fulfills a specific function. Even if I wouldn't keep hundreds of millions of dollars on MetaMask as an entity, I also doubt that I would keep them in any one wallet, he continued. To reduce my risk, I would diversify my interests, take sole custody of my assets, and employ various security measures.

According to him, storing private keys on a hardware security module, or HSM is the safest and most responsible method to utilize software wallets. The Ledger and Trezor are two of the most well-liked hardware wallets, as they are commonly referred to in the cryptocurrency world.

At the end of the day, that is what stores my private keys and where the transactions are truly signed, according to Schwed. "And your wallet [in the browser] is basically simply a way to broadcast to the chain and build the transaction,"

Reducing the chasm

The issue is that not everyone employs wallets for browser extensions in that manner. However, there have been initiatives to remedy the issue, including improved advising for app developers on how to incorporate security and instructing users on how to keep their payments secure.

The CryptoCurrency Certification Consortium, or C4, steps in to help with it. The professional credentials for Bitcoin and Ethereum were developed by the same company. Fun fact: Before creating Ethereum, Vitalik Buterin contributed to the creation of the Certified Bitcoin Professional test.

For new cryptocurrency users, there is still a significant information gap, according to Jessica Levesque, executive director of C4.

It's sort of alarming since, according to those who have been familiar with cryptocurrencies for a while, it's very obvious that you shouldn't put a lot of money in MetaMask or any other hot wallet. She told Decrypt to move it. But when we initially started, the majority of us were unaware of that.

On the other hand, there has been a pervasive belief that open-source projects are safer since their code may be examined by outside experts.

In fact, a developer who goes by the Twitter handle fabulous gained a lot of attention on Wednesday in response to the Solana wallet attack for declaring that it is "irresponsible not to have open source code in crypto."

Noah Buxton, who oversees Armanino's blockchain and digital asset practice and is a member of C4's CryptoCurrency Security Standard Committee, claimed that smaller projects' lack of visibility or the availability of bug bounties in native tokens can deter researchers from investing their time in them.

According to him, the main factors influencing developers' attention to open source are either notoriety or some form of financial gain. Why waste time hunting for bugs on a brand-new decentralized exchange when there is minimal liquidity, the governance token is worthless, and the team wants to compensate you for a reward in the governance token? I would rather spend time developing another layer 1 of Ethereum.