Popular cryptocurrency wallet providers MetaMask and Phantom said today that they had patched a security flaw that could, in some cases, allow attackers to obtain mnemonic phrases from a hacked computer's disk, enabling many browser-based extensions of wallets are at risk of being hacked.
Previously on MetaMask:
Popular cryptocurrency hot wallet providers MetaMask and Phantom (Solana ecosystem) disclosed on the 16th that they have recently patched a security flaw. The vulnerability stems from a problem in Javascript that may cause the mnemonic to be stored in memory for a period of time, allowing an attacker to obtain the mnemonic from an unencrypted hard drive, thereby controlling the victim user's encrypted assets and NFTs.
The vulnerability was discovered in May last year by blockchain security firm Halborn, which, in addition to MetaMask and Phantom, has notified at least ten other browsers, and extension-based wallet providers, according to Coindesk.
UPDATE: Some Wallets Have Fixed Vulnerabilities
Halborn confirmed that wallets that have fixed the vulnerability include MetaMask, Phantom, Brave, and xDefi.
Phantom announced today that they learned of the vulnerability in September 2021 and fully patched it in April this year. At the same time, they added that another critical security patch would be rolled out next week.
MetaMask said that users using mobile device applications are not affected, but a small number of users in many browser wallets, including MetaMask, will face security risks. The team released MetaMask expansion version 10.11.3 in March. Fixed the bug, so these shouldn't be an issue for users of this version and newer.
Conditions for an Attack
The team further explained that there is a possibility of being attacked if the following three conditions are met:
- The hard disk is not encrypted.
- Import the annotation words into a hacked computer or someone you do not trust.
- Use the "Show Mnemonic" feature when importing.
Final Words - Transfer Assets to New Wallet Addresses
MetaMask recommends that users consider transferring funds from these wallet accounts to ensure safety if they meet the above conditions. It also provides guidelines for migrating account funds and states that third-party migration tools must be used at your own risk.
The team further suggested that if users are concerned about assets being affected, they can consider enabling disk encryption on the system and using hardware wallets to manage assets. However, co-founder Steve Walbroehl, who received a $50,000 bounty from MetaMask for reporting the bug, Steve Walbroehl, told Coindesk that most users are still advised to move to a new wallet address.
Further Reading: Protect Your Crypto Wallets With InfoSec - The Three-Tier Wallet System and Crypto-Hygiene
Thank you for reading. May InfoSec be with you🖖.