A number of prominent browser extension wallets, including Ethereum (ETH) wallet MetaMask, Solana (SOL)’s Phantom, Brave, and cross-chain wallet extension XDefi, have patched a “critical vulnerability” that could have exposed sensitive login credentials if specific conditions were met.
The wallet providers claim the vulnerability has not been exploited by bad attackers, meaning no user funds were stolen using this vector of attack.
In a blog post, MetaMask detailed that the issue did not impact MetaMask Mobile users and only affected “a small segment of MetaMask Extension users as well as users of other browser/extension wallets.”
The popular Ethereum wallet said that they have since implemented updates to solve the issue, claiming that it does not affect users of the MetaMask Extension versions 10.11.3 and later. MetaMask added that users need to worry only if all of the following conditions are met:
- their hard drive was not encrypted;
- they imported their Secret Recovery Phrase into a MetaMask extension on a device that is in possession of someone they do not trust, or their computer is compromised;
- they used the “Show Secret Recovery Phrase” checkbox to view their Secret Recovery Phrase on-screen during the import process.
“If your computer is not physically secure from people you do not trust, we recommend you enable full disk encryption on your system,” MetaMask said. “Additionally, you are not affected by this if your funds are managed by a hardware wallet.”
Solana’s Phantom, a self-custodial wallet for decentralized finance (DeFi), also confirmed they were affected by the issue, saying they were first notified about the vulnerability in September 2021.
“After some investigation and an official audit, fixes began rolling out in January 2022 and by April, Phantom users became protected from this critical vulnerability,” Phantom claimed, adding that they will release “an even more exhaustive patch” next week.
3/ With this vulnerability, users who imported their wallet with a secret recovery phrase were at risk if a sufficiently advanced attacker gained control of their device.
We are proud of the collaborative effort among many partners that helped keep the crypto community safe.
— Phantom (@phantom) June 15, 2022
The security vulnerability was discovered and reported to all affected wallet browsers by blockchain security firm Halborn. “We disclosed a critical vulnerability affecting MetaMask, Phantom, Brave, and XDefi, and other browser based crypto wallets,” the company
8/ MetaMask paid a $50,000 bounty to Halborn for this discovery, which was the largest security-related payout that MetaMask had ever made at the time!
— Halborn (@HalbornSecurity) June 15, 2022
said.
The incident is yet another reminder that internet-connected hot wallets are subject to security vulnerabilities. Users can consider hardware wallets for better security.
Source: Cryptonews
