A number of prominent browser extension wallets, including Ethereum (ETH) wallet MetaMask, Solana (SOL)‘s Phantom, Brave, and cross-chain wallet extension XDefi, have patched a “critical vulnerability” that could have exposed sensitive login credentials if specific conditions were met.
The wallet providers claim the vulnerability has not been exploited by bad attackers, meaning no user funds were stolen using this vector of attack.
In a blog post, MetaMask detailed that the issue did not impact MetaMask Mobile users and only affected “a small segment of MetaMask Extension users as well as users of other browser/extension wallets.”
The popular Ethereum wallet said that they have since implemented updates to solve the issue, claiming that it does not affect users of the MetaMask Extension versions 10.11.3 and later. MetaMask added that users need to worry only if all of the following conditions are met:
- their hard drive was not encrypted;
- they imported their Secret Recovery Phrase into a MetaMask extension on a device that is in possession of someone they do not trust, or their computer is compromised;
- they used the “Show Secret Recovery Phrase” checkbox to view their Secret Recovery Phrase on-screen during the import process.
“If your computer is not physically secure from people you do not trust, we recommend you enable full disk encryption on your system,” MetaMask said. “Additionally, you are not affected by this if your funds are managed by a hardware wallet.”
“After some investigation and an official audit, fixes began rolling out in January 2022 and by April, Phantom users became protected from this critical vulnerability,” Phantom claimed, adding that they will release “an even more exhaustive patch” next week.
The security vulnerability was discovered and reported to all affected wallet browsers by blockchain security firm Halborn. “We disclosed a critical vulnerability affecting MetaMask, Phantom, Brave, and XDefi, and other browser based crypto wallets,” the company said in a Twitter thread.
Halborn said they discovered the “Demonic” vulnerability back in May 2021 and provided assistance to all affected browsers with the help of MetaMask.
The blockchain company has also received a USD 50,000 bounty from MetaMask for the discovery, which “was the largest security-related payout that MetaMask had ever made at the time,” Halborn said.
The incident is yet another reminder that internet-connected hot wallets are subject to security vulnerabilities. Users can consider hardware wallets for better security.