**WARNING** Those Using Older Version of Metamask Take Action - News Brief
Yesterday, June 15, 2022, the team at Metamask reported a critical security susceptibility in older versions of its highly popular cryptocurrency wallet.
Security researchers at Halborn have disclosed an instance where a Secret Recovery Phrase used by web based wallets like MetaMask could be extracted from the disk of a compromised computer under some conditions. The following does not impact MetaMask Mobile users, and impacts a small segment of MetaMask Extension users as well as users of other browser/extension wallets. We felt this violated the user expectations of our password lock feature, and could therefore put some users at risk.
[Finlay, D. Security Notice: Extension Disk Encryption Issue. (Accessed June 16, 2022)].
"The security firm was awarded a bounty of $50,000 for the discovery" [Sun, Z. MetaMask warns of security vulnerability from older versions of popular crypto wallet. (Accessed June 16, 2022).
This vulnerability applies to users of Metamask extension versions before 10.11.3. In these earlier versions, you may be at risk if all three of the following conditions apply to your computer/wallet:
- Your hard drive was unencrypted
- You imported your Secret Recovery Phrase into a MetaMask extension on a device that is in possession of someone you do not trust, or your computer is compromised
- You used the 'Show Secret Recovery Phrase' checkbox to view your Secret Recovery Phrase on-screen during that import process
[Finlay, supra].
The on-screen 'Show Secret Recovery Phrase' page appears as follows (note the blue box checked at the bottom):
We’ve only found that the Secret Recovery Phrase could be extracted under very specific circumstances, and we’ve been able to introduce new protections over the period that Halborn has waited to disclose, and have a few more we plan to implement. We will continue to introduce additional security mechanisms that reduce this risk even more.
[Finlay, supra].
According to Metamask, the impact of this vulnerability is:
This affects:
- All desktop operating systems and browsers that we have tested.
- We tested on Windows, macOS, and Linux, with Google Chrome, Chromium, and Firefox browsers.
- All versions of the MetaMask extension (prior to v10.11.3) on all browser versions.
This does not affect MetaMask Mobile.
The Secret Recovery Phrase does get cleared eventually, but we cannot make guarantees about when at this time.
This vulnerability is most likely to affect users who had a device compromised or stolen soon after importing their Secret Recovery Phrase into MetaMask.
[Id].
If you have been affected (or believe you may have been affected), Metamask suggests that you "consider migrating the funds from the accounts generated by that Secret Recovery Phrase to new accounts generated by a new Secret Recovery Phrase" [Id]. Metamask has prepared a guide to follow to accomplish this migration and it may be found by clicking here.
As well, "if your computer is not physically secure from people you do not trust, we recommend you enable full disk encryption on your system" [Id].
The vulnerability herein occurred as a result of the password encryption security system being undermined by browser behavior. Individual browsers look at physical access attacks as being outside their existing threat model [See for further information: GoogleSource. Why aren‘t physically-local attacks in Chrome’s threat model?. (Accessed June 16, 2022)]. And as the Metamask wallet is built on top of the browser, "it has proven labor-intensive to reduce the size of this attack surface, and it may be impossible to fully eliminate it. Ultimately it is likely that only full disk encryption can provide your computer strong safety against physical computer access [Finlay, supra].
And finally, Metamask stresses the following:
- Please take the time to enable full disk encryption on your computer. It’s the only way to be sure that someone with physical access to your computer isn’t able to extract all of its contents. We also recommend the usage of hardware wallets as an additional security measure.
- Clear your browser cache data (our research shows this may help some users in some cases)
- Remember that it’s your responsibility to keep your computer secure. No wallet or software can keep itself safe if the system it runs on is compromised. Take time to learn how to avoid installing a virus on your computer.
[Id].
Posted Using LeoFinance Beta