Metatask Extension Security Issues
Leading Ethereum (ETH) browser extension Metamask reportedly broadcasts ETH addresses to all websites a user visits in its default settings, a GitHub issue submitted on March 20 states.
Metamask is a browser extension featured in the Brave browser — compatible with Mozilla Firefox, Google Chrome and Opera— that enables its users to interact with Ethereum-based decentralized applications (DApps). According to the aforementioned GitHub issue, Metamask broadcasts its users’ ETH address to all the websites visited in its default settings, with the post specifying that the ETH addresses are shown in data objects contained in message broadcasts as opposed to window objects.
According to the issue report, this can lead to the identification of users and precludes Metamask use by privacy sensitive DApps. More precisely, the user cites the recently hacked porn DApp Spankchain and health DApps as examples.
Moreover, not only the administrators of the visited websites have access to users’ Metamask addresses, but also so-called trackers such as Facebook like or share buttons, Twitter retweet buttons and similar systems that can fingerprint the browser. The user also noted on GitHub that he expects that “these message broadcasts will significantly decrease the value of ETH over the long-term.”
In his answer to the GitHub issue, developer Dan Miller argued that enabling private mode solves the problem, to which the user who created the report responds that it does not. ConsenSys software developer Daniel Finlay admitted that they agree that there is a need to enable privacy mode by default, and that the extension’s privacy could be improved upon.
Lastly, Finlay also responded to the user’s allegations that the reportedly lacking privacy features of the software are malicious in nature:
“We definitely reject all your claims that this is some weird malicious act on our part. That would be the craziest move we could ever make on a totally open source crypto project.”