Security Guide: How to defend against MetaMask browser wallet vulnerability?

2022-06-17 15:10

Read this article in 11 Minutes

AI summary

View the summary

How to Protect yourself from the MetaMask Browser Wallet Security Vulnerability

The Way of DeFi

Note: ConsenSys developer Dan Finlay Revealing a security flaw in the MetaMask browser extension wallet, which could leave a small number of users at risk of having their wallet funds stolen, he offers some security advice.

Halborn's researchers found a situation where unencrypted user keys could be found on disk in rare cases, a problem that has been fixed in version 10.11.3 of the MetaMask browser Extension Wallet and later.

background

Halborn's security researchers have revealed an instance where, under certain circumstances, mnemonic phrases used in Web wallets such as MetaMask could be extracted from an attacked computer disk.

The following does not affect MetaMask mobile wallet users, but only a small percentage of MetaMask browser extension users and other browser/extension wallet users. We have implemented mitigation measures to address these issues, so they should not be an issue for users of MetaMask browser Extension Wallet versions 10.11.3 and higher. Note that your wallet may be at risk if all three of these conditions apply to you, and you should read on to learn the next steps:

Your hard drive is not encrypted; You've imported a mnemonic phrase into a MetaMask browser extension wallet on a device owned by someone you don't trust, or your computer has been hacked. During the import process, you use the Show Secret Recovery Phrase check box to view your mnemonic words on the screen. (As shown below)

impact

This affects:

1. All desktop operating systems and browsers we tested;

2. We tested it on Windows, macOS and Linux using Google Chrome, Chromium and Firefox browsers;

3. All versions of the MetaMask extension (pre-V10.11.3) wallet on all browser versions.

But the bug doesn't affect MetaMask mobile wallet.

The mnemonic phrase will eventually be cleared, but we can't currently guarantee when.

The vulnerability is most likely to affect users whose devices were hacked or stolen shortly after they imported the mnemonic into MetaMask.

If you meet all of the above criteria, your mnemonic phrases may be available to those who have access to your computer, so you may want to consider moving funds out of these accounts to be safe. We have prepared a guide for migrating account funds and use any third party migration tool at your own risk.

Note that people with physical access to your computer or malware can exploit this vulnerability to attack, and if your device is attacked by malware, there are some attacks that cannot be defended (such as keyloggers, direct memory access, and program control).

If you think you're vulnerable to the attack

If your computer is at risk of being affected by someone you do not trust, we recommend that you enable "full disk encryption" on your system. In addition, if your money is managed by a hardware wallet, you are not affected by the bug.

Affected users should consider transferring funds from their old wallet account to a new wallet account address.

The rest of this document will provide additional details and advice on how best to keep your wallet safe. We will reveal more details about the nature of the problems later so that other software developers can avoid them themselves, but for now we will alert users first to minimise the risk of theft.

How safe am I?

As mentioned above, if your computer is compromised (whether it's a physical threat or malware), you can't be sure of the security of any program running on that computer.

This is a problem that the team at popular Password manager 1 Password has acknowledged and discussed. Jeffrey Goldberg, chief security architect at 1 Password, explained the difficulty of solving the problem, saying:

"This is a well-known problem that has been publicly discussed many times before, but any plausible solution is likely to be worse than the problem itself."

If you use a password manager, you're probably a little more secure than someone who doesn't, but even if you do, you're not immune to vulnerability issues.

conclusion

Eventually we learned that the security of our password encryption can be compromised in part by browser behavior. Because browsers themselves consider physical access attacks to be outside their threat model, and our current wallets are built on top of browsers, reducing the size of this attack surface turns out to be labor-intensive and may not be able to eliminate it completely. Ultimately, it is likely that only "full disk encryption" will provide strong physical computer access security for your computer.

In general, computers/browsers etc should store text input temporarily or permanently to some extent. However, because of how important it is to secure your mnemonic phrases, you need to be aware of this particular scenario so that users can act accordingly.

Fortunately, passwords still seem to provide a degree of security. We found that mnemonic phrases can only be extracted under very specific circumstances, and we have been able to introduce new safeguards during Halborn's waiting period for disclosure, and we plan to implement additional safeguards to further reduce this risk. This means that if you're not using your wallet (or handing over your computer to someone else), it's still a good habit to lock it.

Some important things:

1. Please take the time to enable full encryption on your computer. This is the only way to ensure that your computer will not have all its contents extracted by someone with physical access. We also recommend that users use a hardware wallet as an additional security measure.

2. Clear your browser's cache of data (our research suggests this may help some users in some cases)

3. Remember that keeping your computer safe is your responsibility, and no wallet or piece of software can keep itself safe if the system running it is compromised. Take the time to learn how to keep your computer safe from malware.

Here are some guidelines for securing different operating systems:

Windows

‌Mac

‌iOS‌

Linux‌

Finally, we would like to thank Halborn's team for responsibly disclosing this and for all their hard work to protect the industry, and we award Halborn the $50,000 prize for his discovery.