According to recent research, Metamask crypto wallet users could be at risk of losing all their digital assets or even physical threats. Security analyst and cryptographer Alexandru Lupascu, the co-founder of OMNIA protocol, found this vulnerability in the popular Web 3.0 wallet.
How much harm can be done?
Lupascu found that a malicious party can simply create a non-fungible token (NFT) and get a user’s IP address by transferring free ownership of the digital art. A hacker would need to spend as low as $50 to attack someone’s privacy. He mentioned, “Do not underestimate the risk associated with IP leaks.”
Lupascu added that “if malicious actors derive more information from the IP address (think geolocation, GSM carrier, etc.), they can turn it into physical risks, such as kidnapping.”
Furthermore, this attack can be more “devastating than a Distributed Denial of Service (DDoS) attack,” according to the cryptographer. For a simple comparison, this attack can be eight times more powerful than the Mirai botnet attack in Oct 2016 that took down Twitter, Reddit, Spotify, GitHub, Netflix, Airbnb and many more popular websites.
Alexandru published a complete tour of how the attack is done, from minting an NFT to transferring it to the victim to getting the IP address and lastly, compromising privacy or even stealing their crypto assets. He tested this attack on the iOS Metamask app version 3.7.0, but it might also be the same for the Android version. He minted an NFT on OpenSea, the largest NFT marketplace, and edited the ERC-1155 standard smart contract with the Remix Ethereum IDE.
Did they fix it?
According to Lupascu, he found and addressed the security flaw to the Metamask team on Dec 14, 2021, but they neglected and responded to fix this issue by Q2 2022. He said, “For us, it is unacceptable to leave such a large user base at risk for so long, especially if this was known beforehand, as they say.”
After this research was shown to the public, Daniel Finlay, who is the founder of Metamask, admitted, “I think this issue has been widely known for a long time, so I don’t think a disclosure period applies.”
Finlay added, “Alex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it.”
Not to forget, ConsenSys, Metamask’s parent company, raised $200 million with Metamask surpassing 21 million monthly active users in Nov 2021. The most popular crypto wallet is also used as a gateway to 3,700 Web 3.0 decentralized applications (dApps).
What do you think about this subject? Write to us and tell us!