A recent investigation revealed that Metamask’s mobile app faces a critical privacy vulnerability. The wallet’s CEO confirmed the problem and has pledged to fix it.
Metamask an online digital wallet that allows users to manage, transfer and receive Ethereum, operating as an extension to a regular browser. a popular web browser cryptocurrency cryptocurrencies are digital currencies that use cryptographic technologies to secure their operation. wallet, faces a critical privacy vulnerability, a recent security the term securities refers to a fungible and tradable financial instrument that carries a type of monetary value. report said. The news outletCryptoBriefing reported the news.
Security analyst Alexandru Lupascu, co-founder of privacy node the most basic unit of blockchain infrastructure that stores data. service OMNIA Protocol, shared on Thursday a informe on its blog where it warns that users of Metamask who may be putting their privacy at risk when using the wallet.
Lupascu said he and his team of investigators have come across a vulnerability within the mobile application of Metamask which gives hackers a way to learn the IP address of wallet users.
– Alex Lupascu (@alxlpsc) January 20, 2022
The vulnerability poses a privacy risk that is not minor. According to the report, “ has the potential to be eight times more devastating than a distributed denial of service (DDoS) attack. “.
It should be noted that an IP address, which is the acronym for Internet Protocol the set of rules that define interactions on a network, usually involving consensus, transaction validation, and network participation on a blockchain. is a unique numeric label that identifies an interface on the network a network refers to all nodes in the operation of a blockchain at any given moment in time. of a web-connected device; it can be a computer, a smart phone, a tablet , etc.
Metamask users’ privacy is exposed
Specifically, the vulnerability found in the Metamask could allow malicious actors to know the location from which cryptocurrency users access the wallet application. The analyst warned that the impact of the vulnerability could be much more serious than a simple data breach.
Don’t underestimate the risk associated with IP leaks: if malicious actors obtain more information from the IP address (think geolocation, GSM carrier, etc.), they can turn it into a physical risk, such as a kidnapping .
In the blog post Lupasco described how a hacker can obtain a user’s IP address. He explained that the vulnerability can be exploited by sending a token a digital unit designed with utility in mind, providing access and use of a larger crypto economic system. non fungible in cryptocurrency, fungibility is when a coin or token can be replaced by any other identical coin or token. (NFT) to an address a place where cryptocurrency can be sent to and from, in the form of a string of letters and numbers. Ethereum a decentralized open-source blockchain with smart contracts functionality. of the victim. In addition, it is a relatively inexpensive attack, costing only $50, he said.
If a malicious actor only knows your blockchain a distributed ledger system. A sequence of blocks, or units of digital information, stored consecutively in a public database. The basis for cryptocurrencies. address, they can create an NFT with a URL pointing to your server and transfer ownership of the NFT to your address. Therefore, when your crypto wallet a place where cryptocurrency users can store, send and receive digital assets. gets the remote image of the server, it will compromise your privacy.
The analyst tested the possible attack by coining a NFT non-fungible tokens (NFTs) are cryptocurrencies that do not possess the property of fungibility. in the market an area or arena, online or offline, in which commercial dealings are conducted. of OpenSea . He then used a smart contract in traditional finance, a contract is a binding agreement between two parties. In cryptocurrencies, smart contracts execute functions on the blockchain. editor to change change — a concept relevant to cryptocurrencies that use the UTXO model — is the number of coins sent back to a user after they use their unspent outputs to initiate a transaction. the original URL linked to the NFT to point to a server under his control. He proceeded to send the collectible to an address Ethereum . He said that when he accessed the address through the mobile app from Metamask If you are not sure, your IP address appeared on the server under your control.
Technical details about the vulnerability
NFTs are digital digital technologies are these electronic tools that have the ability to generate, store or even process data. assets that denote ownership of digital content such as images, music, videos and more. They offer a way to tokenize the process by which real-world assets are turned into something of digital value called a token, often subsequently able to offer ownership of parts of this asset to different owners. files, but usually do not store the actual content. Given that storing image data on a blockchain such as Ethereum can be expensive, NFTs contain uniform resource locators that point to data. NFT content is often stored on a decentralized decentralization refers to the property of a system in which nodes or actors work in concert in a distributed fashion to achieve a common goal. storage network such as IPFS or on remote centralized a centralized organizational structure is one in which a single node or a small number of them are in control of an entire network. cloud cloud servers are typically located throughout different data centers all over the world. servers.
By default, the MetaMask displays the NFTs stored at an address via a URL function call folded into the image data. This data is hosted on remote servers. The process is performed without requesting the user’s consent to show which NFTs are contained in their wallet. Ethereum .
During this fetching process, all server gateways that handle image data transmission receive the user’s IP information. Generally, the projects that operate the servers for the image data keep the data secure.
In his research, Lupascu determined that malicious entities can find the IP data of users from MetaMask and exploit the information to execute targeted attacks. It is also possible for mass attacks to be carried out through the launching of airdrops (or free distribution) of NFT.
A highly motivated actor could create a large number of NFTs, direct them all to a single URL and launch them via aridrop to millions of users, thus performing DDoS attacks on that URL on a scale never seen before.
Metamask is already aware of the problem
In his report, Lupascu indicated that he had disclosed the vulnerability to the developers of Metamask in December, after his team came across the discovery. At the time, the company admitted it was aware of the problem and said it was actively working to fix the breach. Metamask promised to launch a correction a correction is a pullback of an asset’s price of at least 10% to adjust for over-valuation. by the second quarter of 2022, a timeline that Lupascu called ” unacceptable ” in the entry.
El CEO de Metamask Daniel Finlay, responded to the Twitter post and acknowledged the existence of the vulnerability. within the current version of the wallet. Finlay further agreed with the allegations made by Lupasco and pledged to deploy a solution as soon as possible.
Yes, I think this problem has been widely known for a long time … Alex is right to call us out for not addressing it sooner. Starting to work on that now. Thanks for the kick in the pants, and sorry we needed it.
Yeah, I think this issue has been widely known for a long a situation where you buy a cryptocurrency with the expectation of selling it at a higher price for profit later. time, so I don’t think a disclosure period applies. Alex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it. https://t.co/SeKMRKSUGN
— Dan Finlay (@danfinlay) January 20, 2022
In the meantime, and until a patch is released to fix the vulnerability, Lupascu has advised wallet users to be on the lookout for NFT giveaways based on Ethereum . The specialist considered that it is best for users to access this type of free NFTs non-fungible token, a unique non-interchangeable piece of digital content that is stored on a distributed ledger (blockchain). through platforms such as OpenSea .
“ Until this issue is fixed in the mobile application, please use the platform a place to buy, sell and store cryptocurrency OpenSea with any Web3 compatible wallet to browse your collectibles. A gentle reminder to everyone that off-chain a transaction that is processed outside the blockchain network with an increased speed and reduced cost. privacy is really important, don’t neglect it. ”, dijo.
- Phishing when a scammer pretends to be a trusted institution or person to trick people into revealing sensitive information such as Social Security numbers, passwords, banking details, etc., often through a malware link disguised as legitimate. campaign is stealing cryptocurrencies from Metamask and Phantom wallet users
- Security firm warns of 55 potential crypto scams on Binance Smart Chain
- Hackers spread a price difference between asking and selling prices of the asset. malware malware or malicious software refers to harmful programs utilized by bad actors to illegally access and/or compromise a computer, network or server. on Telegram that targets crypto-wallet users
Article versioned by Hannah Estefania Perez / DiarioBitcoin
Image from Unsplash edited in Canva