{"id":1296,"date":"2022-01-21T18:35:20","date_gmt":"2022-01-21T18:35:20","guid":{"rendered":"https:\/\/fatburningcoffeetrick.com\/?p=1296"},"modified":"2022-01-21T18:35:21","modified_gmt":"2022-01-21T18:35:21","slug":"metamask-knows-it-has-a-critical-privacy-vulnerability-but-hasnt-fixed-it","status":"publish","type":"post","link":"https:\/\/cryptoheretostay.com\/?p=1296","title":{"rendered":"MetaMask Knows It Has a Critical Privacy Vulnerability, But Hasn&#8217;t Fixed It"},"content":{"rendered":"<p> <script type=\"text\/javascript\">\r\namzn_assoc_placement = \"adunit0\";\r\namzn_assoc_tracking_id = \"totafreearti-20\";\r\namzn_assoc_ad_mode = \"search\";\r\namzn_assoc_ad_type = \"smart\";\r\namzn_assoc_marketplace = \"amazon\";\r\namzn_assoc_region = \"US\";\r\namzn_assoc_default_search_phrase = \"crypto\";\r\namzn_assoc_default_category = \"All\";\r\namzn_assoc_search_bar = \"false\";\r\namzn_assoc_title = \"\";\r\namzn_assoc_rows =\"1\";\r\n<\/script>\r\n<script src=\"\/\/z-na.amazon-adsystem.com\/widgets\/onejs?MarketPlace=US\"><\/script><br \/>\n<\/p>\n<h3>Key Takeaways<\/h3>\n<p>Cryptographer Alexandru Lupascu discovered a critical vulnerability in the most popular Web3 wallet MetaMask.<br \/>\nLupascu found that malicious entities can find MetaMask mobile users&#8217; IP data by airdropping them NFTs.<br \/>\nMetaMask founder Daniel Finlay admitted in a Twitter post the &#8220;issue has been widely known for a long time.&#8221; It&#8217;s yet to fix the problem. <\/p>\n<p>Share this article<\/p>\n<p>Alexandru Lupascu says that MetaMask users who access the app on mobile devices are at risk of exposing their IP address.<\/p>\n<h2><strong>MetaMask Mobile App Can Expose Users\u2019 Privacy<\/strong><\/h2>\n<p>MetaMask users may be putting their privacy at risk, a cryptographer has warned.<\/p>\n<p>Alexandru Lupascu, who co-founded the privacy node service OMNIA Protocol, says that he has found a critical vulnerability in the ConsenSys\u2019 popular Web3 wallet that gives hackers a way to access users\u2019 IP addresses, thus creating a privacy risk. An IP address is a unique global identifier assigned to a device connected to the web. As users can store their crypto assets on MetaMask wallets, an IP address vulnerability is a major concern as it could create a way for hackers to identify where the user access the wallet.<\/p>\n<p>Lupascu published a blog post explaining how the vulnerability can be exploited by minting and airdropping an NFT collectible to a MetaMask-connected Ethereum address used on a mobile phone.<\/p>\n<p>NFTs are digital assets that denote the ownership of content such as digital art, music, and memes. They offer a way to tokenize content but typically do not store the actual content. Since storing image data on a blockchain like Ethereum can be expensive, NFTs contain Uniform Resource Locators that point to the data. The content for NFTs is often stored either on a decentralized storage network like IPFS or on remote centralized cloud servers.<\/p>\n<p>By default, the MetaMask mobile app displays NFTs stored in an address using a URL function call to the image data. This data is hosted on remote servers.\u00a0The process is done without asking for the user\u2019s consent in order to display what NFTs are contained in their Ethereum wallet.<\/p>\n<p>During this fetching process, all server gateways handling the transmission of image data receive the user\u2019s IP information. Generally, the projects operating the servers for the image data keeps the data secure.<\/p>\n<p>In his investigation, Lupascu determined that malicious entities can find MetaMask users\u2019 IP data and exploit the information to execute targeted attacks. In his blog post, Lupascu explained:<\/p>\n<p>\u201cIf a malicious actor only knows your blockchain address, he can mint an NFT with a URL pointing to his server and transfer the NFT\u2019s ownership to your address. Thus, when your crypto wallet fetches the remote image from the server, it will compromise your privacy.\u201d<\/p>\n<p>Lupascu tested the vulnerability by minting an NFT on OpenSea based on the ERC-1155 standard. He then used a smart contract editor to change the original URL linked with the NFT to point to a new server under his control. Then, Lupascu sent the NFT to an Ethereum address. When he accessed the address through the MetaMask mobile app, his IP address appeared in the server he controlled. He said it cost about $50 to execute the attack.<\/p>\n<p>Lupascu told Crypto Briefing that he notified the MetaMask team about the issue in mid-December 2021, meaning the Web3 wallet has been aware of the issue for at least a month. The MetaMask team promised to release a patch by the second quarter of 2022\u2013a timeframe Lupascu considers \u201cunacceptable\u201d given the severity of the matter.<\/p>\n<p class=\"msg-s-event-listitem__body t-14 t-black--light t-normal \">Addressing the vulnerability, MetaMask founder Daniel Finlay admitted in a tweet response to Lupascu that the \u201cissue has been widely known for a long time.\u201d He added:<\/p>\n<p>\u201cAlex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it.\u201d<\/p>\n<p>Finlay has also proposed that the wallet could \u201conly load IPFS-type links by default.\u201d Furthermore, MetaMask users will have to give explicit consent to fetch NFT data stored on third-party servers.<\/p>\n<p>Meanwhile, Lupascu says that he thinks Ethereum users should be vigilant if they receive airdropped NFTs, and that it\u2019s advisable to only access them through OpenSea.\u00a0\u201cUntil this issue gets fixed on the mobile application, use the OpenSea platform with any Web3 compatible wallet to explore your collectibles. A kind reminder to everyone that off-chain privacy is really important\u2014do not neglect it,\u201d he said.<\/p>\n<p>In recent months, NFT collectors have lost millions of dollars worth of digital assets through attacks, hacks, and scams. Many of the affected users stored valuable NFTs from Bored Ape Yacht Club and other sought-after collections on MetaMask wallets and suffered from phishing attacks. As MetaMask is a hot wallet, thieves can drain funds with relative ease once they have a user\u2019s private key.\u00a0As the private keys for a hot wallet can be compromised through phishing and malware attacks, they are widely considered less secure than cold storage options such as hardware wallets, which require access to a physical device to access the funds.<\/p>\n<p>MetaMask is the most popular Web3 wallet for accessing Ethereum and other EVM-compatible blockchain networks. It had more than 21 million monthly active users as of November 2021, according to a ConsenSys press release.<\/p>\n<p><em>Disclosure: At the time of writing, the author of this piece owned ETH and other cryptocurrencies.<\/em><\/p>\n<p>Share this article<\/p>\n<p>The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.<\/p>\n<p>You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.<\/p>\n<p>See full terms and conditions.<\/p>\n<h3 class=\"title\">Hacker Admits to Stealing 88 ETH in NFT Scam, Then Returns It<\/h3>\n<p>\nA hacker has returned over $340,000 in ETH to the Creature Toadz NFT project after posting a fake mint link in Discord. Despite the return of the funds, some members&#8230; <\/p>\n<h3 class=\"title\">$1.8M Lost to Fake MetaMask Token Honeypot Scam<\/h3>\n<p>\nA fake MetaMask token has conned traders out of over $1.8 million. Hackers injected code into the DEXTools application\u2019s front end, convincing traders that the token was verified. The MetaMask&#8230; <\/p>\n<h3 class=\"title\">What Is The Crypto Volatility Index?<\/h3>\n<p>\nThe Crypto Volatility Index (CVI) is a decentralized solution used as a benchmark to track the volatility from cryptocurrency option prices and the overall crypto market. <\/p>\n<h3 class=\"title\">Bored Ape NFT Collector Loses $2.2M in Phishing Scam<\/h3>\n<p>\nAn NFT collector has lost millions of dollars\u2019 worth of NFTs in an apparent phishing attack. NFT Collector Targeted With a Phishing Attack A New York-based art curator and NFT&#8230; <\/p>\n<p><script type=\"text\/javascript\">\r\namzn_assoc_placement = \"adunit0\";\r\namzn_assoc_tracking_id = \"totafreearti-20\";\r\namzn_assoc_ad_mode = \"search\";\r\namzn_assoc_ad_type = \"smart\";\r\namzn_assoc_marketplace = \"amazon\";\r\namzn_assoc_region = \"US\";\r\namzn_assoc_default_search_phrase = \"bitcoin\";\r\namzn_assoc_default_category = \"All\";\r\namzn_assoc_search_bar = \"false\";\r\namzn_assoc_title = \"\";\r\namzn_assoc_rows =\"1\";\r\n<\/script>\r\n<script src=\"\/\/z-na.amazon-adsystem.com\/widgets\/onejs?MarketPlace=US\"><\/script><br \/>\n<br \/><a href=\"https:\/\/cryptobriefing.com\/ethereum-wallet-metamask-has-critical-privacy-vulnerability\/?utm_source=main_feed&#038;utm_medium=rss\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key Takeaways Cryptographer Alexandru Lupascu discovered a critical vulnerability in the most popular Web3 wallet MetaMask. Lupascu found that malicious entities can find MetaMask mobile users&#8217; IP data by airdropping them NFTs. MetaMask founder Daniel Finlay admitted in a Twitter post the &#8220;issue has been widely known for a long time.&#8221; It&#8217;s yet to fix [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1297,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wp_rev_ctl_limit":""},"categories":[4],"tags":[],"class_list":["post-1296","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-market-news"],"_links":{"self":[{"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/posts\/1296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1296"}],"version-history":[{"count":1,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/posts\/1296\/revisions"}],"predecessor-version":[{"id":1298,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/posts\/1296\/revisions\/1298"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/media\/1297"}],"wp:attachment":[{"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}