A recent investigation revealed that the Metamask mobile app faces a critical privacy vulnerability. The CEO of the wallet confirmed the problem and has promised to fix it.
Metamask, a popular web browser cryptocurrency wallet, faces a critical privacy vulnerability, a recent security report noted. the news media CryptoBriefing reported the news.
Security analyst, Alexandru Lupascu, co-founder of the privacy node service OMNIA Protocol, shared on Thursday a report on his blog where he warns that users of Metamask that they could be putting their privacy at risk when using the wallet.
Lupascu said that he and his team of researchers have come across a vulnerability within the mobile application of Metamask which gives hackers a way to learn the IP address of wallet users.
– Alex Lupascu (@alxlpsc) January 20, 2022
The vulnerability poses a privacy risk that is not minor. According to the report, “has the potential to be eight times more devastating than a Distributed Denial of Service (DDoS) attack“.
It should be noted that an IP address, which stands for Internet Protocol, is a unique numerical label that identifies an interface on the network of a web-connected device; It can be a computer, a smartphone, a tablet, etc.
Privacy of Metamask users is exposed
Specifically, the vulnerability found in the Metamask could allow malicious actors to know the location from where cryptocurrency users access the wallet app. The analyst warned in this regard that the impact of the vulnerability can be much more serious than a simple data leak.
Don’t underestimate the risk associated with IP leaks: If malicious actors get more information from the IP address (think geolocation, GSM carrier, etc.), they can turn you into a physical risk, like a kidnapping.
In the blog post, Lupasco described how a hacker can obtain a user’s IP address. He explained that the vulnerability can be exploited by sending a token non-fungible (NFT) to an address Ethereum of the victim. Plus, it’s a relatively inexpensive attack at just $50, he said.
If a malicious actor only knows your blockchain address, they can create an NFT with a URL pointing to your server and transfer ownership of the NFT to your address. So when your crypto wallet gets the remote image from the server, it will compromise your privacy.
The analyst tested the possible attack by minting an NFT in the OpenSea. He then used a smart contract editor to change the original URL linked to the NFT to point to a server under his control. He proceeded to send the collectible to an address Ethereum. He said that when he accessed the address through the mobile app of Metamask, your IP address appeared on the server under your control.
Technical details about the vulnerability
NFTs are digital assets that denote ownership of digital content such as images, music, videos, and more. They offer a way to tokenize files, but typically don’t store the actual content. Since storing image data on a blockchain like Ethereum can be expensive, NFTs contain uniform resource locators that point to data. The content of NFTs is often stored in a decentralized storage network such as IPFS or on remote centralized cloud servers.
By default, the mobile application of MetaMask returns the NFTs stored in an address using a URL function call folded to the image data. These data are hosted on remote servers. The process is done without requesting the user’s consent to show which NFTs their wallet contains Ethereum.
During this acquisition process, all server gateways that handle image data transmission receive the user’s IP information. Generally, projects that operate servers for image data keep the data secure.
In his research, Lupascu determined that malicious entities can find the IP data of users of MetaMask and exploit the information to execute targeted attacks. Also, it is possible that massive attacks can be carried out by launching airdrops (or free distribution) from NFT.
A highly motivated actor could create a large number of NFTs, direct them all to a single URL, and aridrop them to millions of users, thus performing DDoS attacks on that URL on a scale never seen before.
Metamask is already aware of the problem
In his report, Lupascu indicated that he had disclosed the vulnerability to the developers of Metamask in December, after his team came up with the find. At that time, the company admitted that it was already aware of the problem and assured that they were actively working to solve the breach. Metamask promised to release a fix by the second quarter of 2022, a timeline Lupascu called “unacceptable” at the entrance.
The CEO of Metamask, Daniel Finlay, responded to the post on Twitter and acknowledged the existence of the vulnerability within the current version of the wallet. Finlay also agreed with the accusations made by Lupasco and promised to deploy a solution as soon as possible.
Yes, I think this problem has been widely known for a long time[…] Alex is right to call us out for not addressing it sooner. Starting to work on it now. Thanks for the kick in the pants, and I’m sorry we needed it.
Yeah, I think this issue has been widely known for a long time, so I don’t think a disclosure period applies. Alex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it. https://t.co/SeKMRKSUGN
— Dan Finlay (@danfinlay) January 20, 2022
In the meantime, and until a patch is released that fixes the vulnerability, Lupascu has advised wallet users to stay vigilant against cryptocurrency-based NFT giveaways. Ethereum. The specialist considered that it is best for users to access this type of free NFT through platforms such as OpenSea.
“Until this issue is fixed in the mobile app, please use the platform OpenSea with any Web3 compatible wallet to explore your collectibles. A gentle reminder to everyone that off-chain privacy is really important, don’t neglect it“, He said.
Article versioned by Hannah Estefanía Pérez / DailyBitcoin
Unsplash image edited in Canva
WARNING: This is an informative article. DiarioBitcoin is a means of communication, it does not promote, endorse or recommend any investment in particular. It is worth noting that investments in crypto assets are not regulated in some countries. May not be suitable for retail investors as the full amount invested could be lost. Check the laws of your country before investing.