It’s been a tumultuous week meta mask Developer.
in response to the news that $4.5 million worth of funds was emitted from thousands of software wallet upon Solanathe team behind MetaMask, is the most popular software wallet. ethereum Ethereum compatible network —We’ve combed through the wallet’s codebase to ensure users aren’t affected by similar hacks.
This type of evacuation drill has been repeated elsewhere. Regarding reports that the Near Wallet may have similar vulnerabilities to the hacked Solana wallet, his Twitter account for the protocol tweeted Thursday night, “I strongly recommend itThe user modifies security settings.
Scanning for vulnerabilities after an exploit has occurred is one way developers handle security. Ideally, find them before they are exploited. MetaMask previously said it was working to reorganize its team to better respond to security issues, but there are signs it is struggling to keep up.
unanswered message
In a recent example, Aurox CEO Giorgi Khazaradze said that when he tried to inform the MetaMask team about the vulnerability in June, he found them unresponsive.
He said Decryption His team was looking into the MetaMask codebase. It is open source and Its GitHub repository—because they build their own browser extension wallet.
The wallet has been announced but not yet launched. If so, you will be in conflict with MetaMask. Simply put, Hazaradze stands to profit from questioning who the biggest competitors for his new product are.
After all, ConsenSys, the company that develops MetaMask (and, in full disclosure, an investor in MetaMask) Decryption) has just closed a $450 million Series D round. $7 billion Ratings—The rate at which MetaMask attracts new users is greatly helped. As of March, MetaMask has 30 million monthly active usersa 42% increase over 21 million November 2021.
Khazaradze’s team said they realized they could add hidden decentralized apps (dapps) to web pages using HTML elements called inline frames (iframes).
This means that an attacker could hypothetically create a page that looks like a legitimate application, but connects to another application that MetaMask users never see.So instead of swapping some ethereum Support new projects with coins, NFTsusers may be unknowingly sending crypto directly to the thief’s wallet.
This kind of vulnerability could take advantage of the fact that MetaMask automatically asks the user to connect to the dapp when it detects it on a web page. Standard behavior for browser extension versions of MetaMask. Outside the context of vulnerabilities and attackers, this is a feature that reduces the number of clicks between users and their ability to interact with dapps.
It’s similar to the clickjacking vulnerability paid for by MetaMask, but not exactly the same. $120,000 bounty in June. This allows the attacker to hide her MetaMask itself in her webpage and trick users into revealing personal data or transferring funds.
“That’s another vulnerability. It was in MetaMask itself. Basically, you can turn MetaMask into an iframe and then clickjack,” Khazaradze said. “On the other hand, what we have found is he iframe dapps. Wallets automatically connect to these dapps, so attackers can be tricked into performing specific transactions.”
Khazaradze said he tried to contact MetaMask about the vulnerability on June 27. He said he first tried the company’s support where he tried the chat feature and he was told to post on GitHub where he was on the app. But he wasn’t very good at it.
He then emailed MetaMask support directly, but received an unhelpful response. In order to streamline the response to support inquiries, direct email to support has been disabled. ”
At that point, Khazaradze said he gave up on informing the team about the vulnerability and contacted them. Decryption.
MetaMask responds
Herman Junge, member of MetaMask’s security team, said: Decryption The app support team probably didn’t want the iframe vulnerability listed on GitHub.
“At MetaMask, we take iframe reports seriously and provide due process through HackerOne’s bug bounty program. Security researchers are invited to visit HackerOne if they submit reports using a different instance. I will,” he said in an email. “There is no message in our records encouraging the researcher to post the iframe report to his GitHub.”
In an email conversation with a MetaMask spokesperson, Decryption described a vulnerability that the Aurox team claimed to have discovered. In an emailed statement, Junge did not acknowledge the alleged vulnerability and did not say MetaMask would investigate the issue.
However, it said exposing ongoing security issues before the app’s team has addressed them could “put innocent people at unnecessary risk.” The language used in support messages is that MetaMask bug bounty program in june.
Rely on the “Spectacle”
In the security community, it’s professional courtesy to personally notify a company of a vulnerability for the same reason you don’t shout someone’s fly down. Discretion gives you a chance to fix it before others notice.
Reporting a vulnerability keeps information away from people who might try to exploit it before developers have a chance to implement a fix. However, when the reporting process gets confusing or recipients seem unresponsive, vulnerabilities are typically exposed before a fix is made to force the team to act.
Privacy researcher and investigative journalist Janine Romer says she’s seen many instances of people first trying discreet means of communication, then switching to Twitter to report vulnerabilities.
“The same thing happens with Bitcoin wallets. The only way to get attention is to tweet at people. This is bad. It shouldn’t be the way things are handled.” ‘ she said Decryption“It should also be possible to report things privately and not have to show them publicly. You can.”
In January, Omnia Protocol co-founder Alex Lupascu said: on Twitter He and his team found a “serious privacy vulnerability” in MetaMask, blog post It explains how attackers can exploit it.
Harry Denley, a security researcher working on MetaMask, said: asked and answered If the team was notified or said they were working on it. Lupascu said they have, but first reported it five months ago and the vulnerability was still exploitable.
Eventually, MetaMask co-founder Dan Finlay got involved.
“Yeah, I think this issue has been in the public eye for a long time, so I don’t think the disclosure period applies,” he wrote on Twitter. “You’re right in pointing out that Alex didn’t address us sooner. I’m starting to work on it now. Thanks for kicking my pants, sorry it was necessary.”
Safely use software wallets
A few months later, the aforementioned bug bounty program was launched. Not all MetaMask vulnerability reports are unaddressed. Web3 security company Halborn Security reported a vulnerability that could affect his MetaMas users in June, hat tip From the MetaMask Twitter account for that.
Halborn Chief Operating Officer David Schwed said the response from the MetaMask team was positive. They addressed and patched the vulnerability. That said, users should be careful about storing substantial amounts of funds in their software wallets, he said.
“We are not necessarily attacking MetaMask. MetaMask now serves a specific purpose. Probably not,’ he said. “I diversify my holdings and self-control and use other security practices to manage risk.”
For him, the most secure and responsible way to use software wallets is to keep private keys in hardware security modules (HSMs). Two of his most popular hardware wallets, also known as cryptocurrencies, are Ledger and Trezor.
“At the end of the day, that’s where my private key is actually stored, and where transactions are actually signed,” Schwed says. “and your [browser] A wallet is really just a mechanism that broadcasts onto the chain to build transactions. ”
fill the gap
The problem is that not everyone uses browser extension wallets that way. However, efforts have been made to address this issue by giving developers better guidance on how to build security into their apps and teaching users how to keep their funds safe.
That’s where the CryptoCurrency Certification Consortium (C4) comes in. The same organization that created the Bitcoin and Ethereum Professional Certifications. Interesting Fact: Ethereum creator Vitalik Buterin helped create his Professional Bitcoin Certification exam before inventing Ethereum.
Executive Director of C4, Jessica Levesque, said there is still a big knowledge gap among new cryptocurrency adopters.
“The scary thing about this is that people who have been in cryptocurrency for a long time probably shouldn’t put a lot of money in MetaMask or hot wallets. Decryption“But most of us didn’t know that when we first started.”
Conversely, there is a common assumption that open source projects are more secure because their code can be reviewed by independent researchers.
In fact, after the Solana wallet was hacked on Wednesday, a developer who identified himself as fubulubu took to Twitter to say:Not having open source code in crypto is irresponsible”
Noah Buxton, who heads Armanino’s blockchain and digital asset practice and is a member of C4’s cryptocurrency security standards committee, said that smaller projects were under-recognized and offered to pay bug bounties in their native tokens. said it could discourage researchers from devoting time to those investigations. .
“In open source, developer attention is mostly driven by notoriety or some form of monetization,” he said. “I don’t want to spend time looking for bugs in new decentralized exchanges with little liquidity, no value in governance tokens, and teams wanting to be paid in governance tokens as bounties. I want to spend time on Ethereum at Layer 1.”
