Security Guide: How to Protect Against MetaMask Browser Wallet Vulnerability?

Note: In the early morning of June 16th, Beijing time, Dan Finlay, a developer of ConsenSys, disclosed a security vulnerability in the MetaMask browser extension wallet, which may lead to the risk of a small number of users’ wallet funds being stolen. Some security advice.

Security Guide: How to Protect Against MetaMask Browser Wallet Vulnerability?

Halborn researchers have identified a situation where unencrypted user keys can be found on disk in rare cases, an issue that has been reported in the MetaMask browser extension wallet in version 10.11.3 and later repaired.


Security researchers at Halborn have disclosed an instance in which mnemonic phrases used by web wallets such as MetaMask can be extracted from a compromised computer disk under certain circumstances.

The following will not affect MetaMask mobile wallet users, but only a small subset of MetaMask browser extension users and other browser/extension wallet users. We have implemented mitigations for these issues, so these should not be an issue for users of the MetaMask browser extension wallet version 10.11.3 and above. Note that if all three of the following conditions apply to you, your wallet may be at risk and you should read the following for next steps:

Your hard drive is not encrypted; you have imported your mnemonic phrase into the MetaMask browser extension wallet on a device owned by someone you don’t trust, or your computer has been hacked. During the import process, you used the “Show Secret Recovery Phrase” checkbox to view your mnemonic on the screen. (As shown below)

Security Guide: How to Protect Against MetaMask Browser Wallet Vulnerability?


This affects:

1. All desktop operating systems and browsers we have tested;

2. We tested on Windows, macOS and Linux using Google Chrome, Chromium and Firefox browsers;

3. All versions of the MetaMask extension (prior to v10.11.3) wallet on all browser versions.

But this vulnerability does not affect the MetaMask mobile wallet.

Mnemonic phrases will eventually be cleared, but we cannot currently guarantee when.

The vulnerability is most likely to affect users whose devices are compromised or stolen shortly after the mnemonic phrase is imported into MetaMask.

If you meet all of the above criteria, those who have access to your computer may have access to your mnemonic phrase, so you may want to consider transferring funds out of these accounts to be safe. We have prepared a guide for migrating account funds, use any third-party migration tool at your own risk.

Be aware that people or malware with physical access to your computer could exploit this vulnerability, and if your device is attacked by malware, some attacks are impossible to defend against (such as keyloggers, direct memory access, and program control).

If you think you are vulnerable to this attack

If your computer is at risk of being compromised by someone you don’t trust, we recommend that you enable Full Disk Encryption on your system. Also, if your funds are managed by a hardware wallet, you are not affected by the vulnerability.

Affected users should consider transferring funds from the old wallet account to the new wallet account address.

The rest of this document will provide some additional details, as well as advice on how to best secure your wallet. Later, we will disclose more details about the nature of the problems so that other software developers can avoid these problems themselves, but for now we will warn users first to minimize the risk of theft.

How safe am I?

As mentioned above, if your computer is compromised (whether physical or malware), you cannot be sure of the security of any programs running on that computer.

This is a problem that has been acknowledged and discussed by the popular password manager 1 Password team, and Jeffrey Goldberg, chief security architect at 1 Password, explained the difficulty of solving the problem, saying:

“This is a well-known problem that has been discussed publicly many times before, but any plausible solution could be worse than the problem itself.”

If you’re using a password manager, you’re probably a bit more secure than someone who doesn’t, but even with a password manager, you’re not immune to vulnerabilities.

in conclusion

Ultimately we learned that the security of our password encryption features can be partially undermined by browser behavior. Since browsers themselves consider physical access attacks beyond their threat model, and our current wallets are built on top of browsers, reducing the size of this attack surface has proven to be labor-intensive and may not completely eliminate it. kind of attack. Ultimately, it’s likely that only “full disk encryption” can provide your computer with strong physical computer access security.

In general, computers/browser etc should store text input to some extent temporarily or permanently. However, because of how important it is to keep your mnemonic phrase safe, this particular scenario requires attention so users can act accordingly.

Fortunately, passwords still seem to provide some level of security. We have found that mnemonic phrases can only be extracted under very specific circumstances, and we have been able to introduce new safeguards while Halborn is awaiting disclosure, and we plan to implement additional safeguards to further reduce this risk. This means that if you don’t use your wallet (or give your computer to someone else), it’s still a good practice to lock your wallet.

Some important things:

1. Please take a moment to enable full disk encryption on your computer. This is the only way to ensure that your computer cannot be extracted by someone with physical access to all of its contents. We also recommend users to use hardware wallets as an extra security measure.

2. Clear your browser cache data (our research suggests this may help some users in some cases)

3. Remember, it is your responsibility to keep your computer safe, no wallet or software can guarantee its own security if the system running it is compromised, take the time to learn how to keep your computer safe from malware.

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-06-17 10:44
Next 2022-06-17 10:47

Related articles