MetaMask browser extension wallet Clickjacking vulnerability analysis

Background overview

On June 3, 2022, MetaMask (MM) disclosed a serious clickjacking vulnerability discovered by white hats. The impact of this vulnerability is: when the user’s MM plugin wallet is unlocked and the user visits a malicious site, the site can Use the iframe tag to embed the unlocked MM plugin wallet page into the web page and hide it, and then guide the user to click on the website. related assets. In view of the large number of users of MM, and the projects of Fork MetaMask plug-in wallets are relatively large, after MM disclosed this vulnerability, we immediately began to reproduce this vulnerability, and then began to search for the impact of this vulnerability on other Fork MetaMask projects .

Subsequently, the SlowMist security team notified the affected project parties as much as possible and guided the project parties to make repairs. The analysis of this Clickjacking vulnerability is now made public to avoid pitfalls in subsequent projects.

Vulnerability Analysis

Since MM did not give a detailed explanation when publishing this Clickjacking vulnerability, it only explained the exploitation scenario of this vulnerability and the harm it can cause, so I also encountered a lot of pits when I reproduced it (various blind guessing vulnerabilities). point), so in order for everyone to understand the entire vulnerability better and smoothly, I will add the next knowledge point before conducting the vulnerability analysis.

Let’s learn about Manifest – Web Accessible Resources. There is such a configuration in the browser extension wallet: web_accessible_resources, which is used to restrict which resources the web page can access to the browser extension, and by default, the web page cannot access the resource files in the browser extension, only The browser extension itself can access the resources of the browser extension. In short, pages under protocols such as http/https cannot access chrome-extension by default. Of course, if the extension wallet is configured with web_accessible_resources to expose the resources inside the extension wallet, it can be accessed by protocols such as http/https. page visited.

The MM extended wallet version before 10.14.6 (this article uses 10.14.5 as an example) has always retained the configuration of “web_accessible_resources”: [“inpage.js”, “phishing.html”], and this configuration is the vulnerability that can be exploited a key point of use.

MetaMask browser extension wallet Clickjacking vulnerability analysis

However, during the vulnerability analysis, it was found that in app/scripts/phishing-detect.js (v10.14.5), the phishing page jump has been restricted by the protocol. (The limitation here is that there are other pits in my understanding. After all, the configuration of “web_accessible_resources”: [“inpage.js”, “phishing.html”]` is still reserved).

MetaMask browser extension wallet Clickjacking vulnerability analysis

We continued to follow up on the change time of this protocol restriction, and found that this restriction was added to the following commit, which means that before v10.14.1, there was no restriction on the jumping protocol, so the Clickjacking vulnerability could be easily exploited.

Related commits:…v10.14.1

MetaMask browser extension wallet Clickjacking vulnerability analysis

In order to verify the analysis process of the code, we switched to the version v10.14.0 before the protocol restriction for testing, and found that the entire attack process can be easily reproduced.

MetaMask browser extension wallet Clickjacking vulnerability analysis

However, it is also mentioned in the MM public report that the Clickjacking vulnerability was fixed in v10.14.6, so v10.14.5 is vulnerable, and then continue to look back at the conjecture here. (The limitation here is that there are other pits in my understanding. After all, the “web_accessible_resources”: [“inpage.js”, “phishing.html”] configuration is still retained).

After repeatedly reading the code, in v10.14.5 and previous versions of the code, when the phishing page prompts, if the user clicks continue at your own risk. After that, the hostname will be added to the local whitelist list. Therefore, the reminder of MetaMask Phishing Detection will not appear again when visiting the website next time.

For example, this phishing website:, the phishing website is embedded in the web page through the iframe tag, and then the malicious phishing website can be added to the whitelist by using the Clickjacking vulnerability. Keep popping up warnings.

MetaMask browser extension wallet Clickjacking vulnerability analysis

Analysis conclusion

In the above analysis process, in fact, MM recently fixed two clickjacking vulnerabilities. During the reproduction process, it was found that the latest v10.14.6 has removed the relevant configuration of web_accessible_resources, and completely repaired the clickjacking problem of the MetaMask Phishing Detection page. .

(1) The fix for using the Clickjacking vulnerability to induce users to transfer money (Affected version: <= v10.14.0):

(2) The fix for adding phishing websites to the whitelist using the Clickjacking vulnerability (affecting version: <= v10.14.5):

The SlowMist security team has performed Clickjacking vulnerability detection on various well-known extension wallets in the chrome extension store, and found that the following wallets are affected by the Clickjacking vulnerability:

  • Coinbase Wallet (v2.17.2)
  • Coin98 Wallet (v6.0.6)
  • Maiar DeFi Wallet (v1.2.17)

The SlowMist security team contacted the project team for the first time, but so far some project parties have not given feedback, and it has been 11 days since MM disclosed this vulnerability. In order to prevent users from suffering losses due to this vulnerability, the SlowMist security team chose to disclose the analysis of the vulnerability. If the affected project party sees this article and needs assistance, please contact the SlowMist security team.

The SlowMist security team once again reminds the browser extension wallet project party if there is a MetaMask-based

The SlowMist security team recommends that ordinary users temporarily stop using these extended wallets (close these extended wallets in the browser extension management) before the project party has fixed the vulnerability. After the wallet officially releases the repaired version, users can update to Use the fixed version.

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-06-14 22:57
Next 2022-06-14 22:59

Related articles