On Wednesday, Metamask released details about an Extension Disk Encryption Issue.
The official blog reveals that security researchers at Halborn found a wallet loophole that can affect web based wallets like Metamask. As a result, Halborn Security was rewarded $50,000 in view of Metamask’s recent bug bounty program for finding this bug.
The issues should not be problems for users who are on the MetaMask Extension version 10.11.3 or later versions.
Secret Recovery Phrase(SRP) used by web based wallets could be accessed from the disk of a compromised computer under following conditions:
- The user’s hard drive was unencrypted.
- The user imported an SRP into MetaMask (v10.11.2 or older) on a computer that was jeopardized or in possession of someone else.
- The wallet owner checked the “Show Secret Recovery Phrase” checkbox to see the SRP onscreen during the import process.
MetaMask has asked users who fall into the above conditions to shift their accounts as soon as possible. As these conditions affect all desktop operating systems and browsers that the wallet has tested.
The circumstances also affect Windows, MacOS, and Linux, with Google Chrome, Chromium, and Firefox browsers. All versions of the MetaMask extension (older than v10.11.3) on all browser versions will be affected too.
MetaMask has brought in new protections to mitigate the risk for its users. This does not affect MetaMask Mobile.
Elaborating the complexities of the issue, Jeffrey Goldberg, a Principal Security Architect at 1Password, stated “This is a well-known issue that’s been publicly discussed many times before, but any plausible cure may be worse than the disease.”
Thus, full disk encryption is the top most remedy to keep computer strong safety against physical computer access.
Metamask also recommended the usage of hardware wallets, clearing browsing cache data, and keeping the system itself safe from ‘viruses’ as additional security measures.
Not just Metamask but Solanas’s wallet Phantom too learned about this bug in September 2021. However, it started making fixes in January 2022, but fully repaired the vulnerability in April of this year.
Phantom added that it would be coming up with additional security patches next week.
Phantom further revealed that it has hired Oussami Amri, the Halborn employee who discovered the bug as a security engineer.