MetaMask, Phantom and Other Browser Wallets Patch Security Vulnerability

There is no evidence the vulnerability was ever exploited by attackers, meaning no user funds are believed to have been impacted.

AccessTimeIconJun 15, 2022 at 4:04 p.m. UTC
Updated Jun 16, 2022 at 8:32 p.m. UTC

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

MetaMask and Phantom, two of the largest crypto wallet providers, disclosed in blog posts Wednesday they recently patched a security vulnerability that could have exposed sensitive login credentials to users with compromised devices.

The wallet providers say there is no evidence the vulnerability was ever exploited by attackers, meaning no user funds are known to have been affected.

MetaMask and Phantom – which discovered the bug based on a tip from blockchain security firm Halborn – informed at least 10 other browser-based hot wallets that they contained the same vulnerability. The full list of impacted – and patched – wallets is unclear at this time.

Although the vulnerability came with a narrow attack vector and there’s no evidence of it ever having been exploited by hackers, it highlights the inherent security risk of internet-connected hot wallets compared to more secure – albeit less-convenient – hardware wallets.

Should you be concerned?

MetaMask and Phantom are not recommending that most users take any action other than to update their browsers in order to ensure the wallets they are using are running the most up-to-date software versions.

According to the blog post from MetaMask you should only be concerned if you match all of the following conditions:

  • Your hard drive was not encrypted
  • You imported your Secret Recovery Phrase into a MetaMask extension on a device that is in possession of someone you do not trust, or your computer is compromised
  • You used the “Show Secret Recovery Phrase” checkbox to view your Secret Recovery Phrase on-screen during that import process

“If your computer is not physically secure from people you do not trust, we recommend you enable full disk encryption on your system,” according to the MetaMask blog post. “Additionally, you are not affected by this if your funds are managed by a hardware wallet.”

Phantom’s blog post largely echoed that of MetaMask.

In its blog post, MetaMask outlines steps that users should take to move to a new wallet if they believe their credentials could have been compromised.

Halborn, which was rewarded a $50,000 bounty for disclosing the bug, recommended most users swap over to a new wallet address out of an abundance of caution.

Steve Walbroehl, Halborn’s co-founder, told CoinDesk, “Just given the fact that this is something that has been around for so long, you don’t know who possibly could have gotten [exploited]. Maybe you clicked on a bad phishing email and they have access to your machine. Maybe somebody took it before even though you’ve now upgraded. I just think out of an abundance of caution, given the criticality, it’s better to just change it.”

He continued, “My number one recommendation is to just get a hardware wallet.”

How it happened

The vulnerability resulted from a quirk in the javascript programming language that sometimes led to a user’s secret recovery phrase being stored in a user’s local memory for some period of time (exactly how long is unknown and likely varies by device).

If a user entered this phrase on a compromised or otherwise untrusted device, an attacker would have had the ability to swipe it from memory if he or she knew exactly where to look (or, more likely, had a specialized tool for the task).

A secret recovery phrase – also called a seed phrase or mnemonic phrase – is a series of 12 words that users receive when they set up a smart wallet, and it serves as a master key should users ever need to recover their wallet or set it up on a new device.

If a person’s secret recovery phrase falls into the hands of someone malicious, it could be used to seize full control of the person’s funds.

MetaMask was informed of the bug in July 2021 and issued a patch in March of this year. Phantom learned of the bug in September 2021 and issued several patches to address the issue between January and April 2022.

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

CoinDesk - Unknown

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

Trending

1
CoinDesk - Unknown
Hard Times in Crypto: the Unintended Consequences of Going Public

The third and final reflection on a series of risks we’re thinking about during these crypto down days.

CoinDesk - Unknown
2
CoinDesk - Unknown
After Bitcoin Maximalism

A Twitter debate sparks much reflection.

CoinDesk - Unknown
3
CoinDesk - Unknown
Three Arrows Paper Trail Leads to Trading Desk Obscured Via Offshore Entities

As Three Arrows Capital collapsed under market pressure, its much-lesser known trading desk, TPS Capital, remained active, sources say. But a complex ownership structure might frustrate creditors' efforts to collect.

CoinDesk - Unknown
4
CoinDesk - Unknown
June Was Bitcoin’s Worst Month Ever

Plus, European crypto regulation comes into view.

CoinDesk - Unknown