MetaMask, the world’s most used crypto wallet, was recently informed by Halborn, a security firm, of an existing security breach in its previous version extension that could potentially be a threat to users’ crypto wallets. The Ethereum-based crypto wallet awarded Halborn $50,000 for recognizing the error quickly.
Recently, Halborn, a blockchain-based security firm reported MetaMask for recognizing a bug in its browser extension before version 10.11.3.
MetaMask immediately warned its users about the security vulnerabilities to ensure everyone is up-to-date with the app and browser version.
According to the crypto wallet company, there were no threats to the mobile app and the newer versions of MetaMask; however, if someone is using a previous version of 10.11.3 they should be on their toes.
The users might be affected in three ways:
- Unencrypted hard drive
- Imported a secret recovery phrase into a MetaMask extension through a device that was hacked, stolen, or has unverified access
- Use the “Show Secret Recovery Phrase” checkbox to view your secret recovery phrase on-screen when the import was being processed. The secret recovery phrase on display can be used as a private key to access the wallet.
In an official statement, the MetaMask team said, “We’ve only found that the Secret Recovery Phrase could be extracted under very specific circumstances, and we’ve been able to introduce new protections over the period that Halborn has waited to disclose.”
On discovering the security vulnerability, Halborn was appreciated and awarded with funds by MetaMask. According to the team, most browser-based crypto wallets are experiencing security vulnerabilities more often.
Big wallet companies like MetaMask also couldn’t escape the security patch but an early discovery can save users from big losses. This security exploit is most likely to happen to the self-custody wallets on MetaMask.
For leading companies like Coinbase or Binance users, the exchanges hold custody of their wallets, so they are unlikely to have this vulnerability, but the self-custody wallets don’t.
MetaMask issued a statement asking users to update their browser extensions and mobile apps to the latest versions to avoid the exploit and those wallets that have been exploited should take out their money immediately.
In an interview, the chief security officer and co-founder of Halborn, Steven Walbroehl explained: “This impact is only for those that self-custody those assets, and it is the users’ responsibility to take it seriously, upgrade the wallets to the patched version listed on the wallet developer’s websites, and to rotate their mnemonic phrase if they think it may be at risk.”
Dan Finley, the founder of MetaMask also asks its users to remain alert and educate themselves about the viruses that might compromise their wallets.
As a self-custody wallet, it is the responsibility of the users to ensure their systems aren’t vulnerable to hacks. “We will continue to introduce additional security mechanisms that reduce this risk even more.” He added.
Read the official blog post by MetaMask here: medium.com/metamask/security-notice-extension-disk-encryption-issue-d437d4250863