MetaMask and Phantom Crypto Wallets Have Fixed a Security Vulnerability
MetaMask and Phantom, two of the largest crypto wallet providers, disclosed in blog posts on Wednesday that they had recently fixed a security vulnerability that could have exposed sensitive user data with compromised devices.
Wallet providers say there is no evidence that the vulnerability has ever been exploited by attackers, which means that no user funds are known to have been affected. MetaMask and Phantom, who discovered the bug based on advice from blockchain security firm Halborn, have informed at least 10 other browser-based hot wallets that they contain the same vulnerability. The full list of affected and corrected wallets is currently unclear.
Although the vulnerability was accompanied by a narrow attack vector, and there is no evidence that it was ever used by hackers, it highlights the inherent security risk of Internet-connected hot wallets compared to more secure - albeit less convenient - hardware wallets. MetaMask and Phantom do not recommend that most users take any action other than updating their browsers to make sure that the wallets they use are running the latest versions of the software. According to the MetaMask blog post, you should only worry if you meet all of the following conditions:
- Your hard drive has not been encrypted
- You have imported your secret recovery phrase into the MetaMask extension on a device that is owned by someone you don't trust, or your computer is compromised.
- You used the "Show Secret Recovery Phrase" checkbox to view the secret recovery phrase on the screen during this import process.
"If your computer is not physically protected from people you don't trust, we recommend that you enable full disk encryption on your system," the MetaMask blog post says. "Also, it won't affect you if your funds are managed by a hardware wallet."
The Phantom blog post largely echoes the MetaMask post. In his blog, MetaMask describes the steps that users should take to switch to a new wallet if they believe that their credentials may have been compromised. Halborn, who was rewarded $50,000 for revealing the error, recommended that most users switch to a new wallet address out of an abundance of caution.
Steve Walbrool, co-founder of Halborn, said: "Just considering the fact that this is something that has been around for so long, you don't know who could get the information. You may have clicked on a phishing email link and they have access to your technique. Maybe someone has taken it before, even if you have updated the keys. I just think out of an excess of caution, given the criticality, it's better to just change it."
He continued: "My number one recommendation is to just get a hardware wallet."
How did it happen
The vulnerability arose due to a quirk in the javascript programming language, which sometimes led to the fact that the user's recovery secret phrase was stored in the user's local memory for some period of time. If the user had entered this phrase on a compromised or otherwise unreliable device, the attacker would have been able to take it from memory if he or she knew exactly where to look (or, most likely, had a specialized tool to perform the task).
The secret recovery phrase, also called the initial phrase or mnemonic phrase, is a series of 12 words that users receive when setting up a smart wallet, and it serves as a master key if users ever need to restore their wallet or set it up on a new device. If a person's secret phrase falls into the hands of someone malicious, it can be used to seize full control of a person's funds.
MetaMask was informed of the bug in July 2021 and released a patch in March of this year. Phantom found out about the bug in September 2021 and released several patches to solve the problem between January and April 2022.
https://coin-signal.com/cryptonews/metamask-and-phantom-crypto-wallets-have-fixed-a-security-vulnerability/
#Crypto, #Cryptonews, #Fixed, #Metamask, #Phantom, #Security, #Vulnerability, #Wallets
#CryptoNews