- Discovered Vulnerability Exposes Users’ Secret Recovery Phrases From Browser Wallet
- Affected wallet providers were contacted and the vulnerability was kept confidential until the security issues were fixed.
Several popular browser-based crypto wallets are vulnerable to hacking under certain conditions, according to new research.
Blockchain security firm Halborn found several instances where wallets including Brave, MetaMask, and Phantom can be compromised under specific computing conditions, adding another wrinkle for merchants still reeling from recent decentralized finance hacks ( DeFi) high profile.
Conditions can expose a crypto wallet user’s secret recovery phrase (a series of generated words that gives the owner access to their crypto), which can then be used to change their private key. In total, billions of dollars in digital assets are stored in software wallets.
Affected wallet providers were contacted and the vulnerability was kept secret until the security issues were fixed.
Who is affected?
Users who meet the following conditions may be at risk:
- Users who have unencrypted hard drives
- Users who previously imported their secret recovery phrase to a web extension on a device that is in someone else’s possession or whose computer was compromised
- Users who have used the “Show secret recovery phrase” checkbox to see their secret recovery phrase on screen during the import process
Cryptocurrency wallets like those affected by this vulnerability, such as Metamask, are self-custodial wallets, meaning that users are solely responsible for safeguarding their private keys.
“Exchanges like Coinbase or Binance often have custody of those keys on behalf of their clients,” Steven Walbroehl, chief security officer and co-founder of Halborn, told Blockworks.
“This impact is only for those who are custodians of those assets, and it is the users’ responsibility to take it seriously, update wallets to the patched version listed on the wallet developer’s websites, and rotate their mnemonic if they believe it. may be at risk,” Walbroehl said.
MetaMask has asked users to update their extension versions to 10.11.3 and later and to “take the time to enable full disk encryption on computers.”
Echoing Walbroehl, Dan Finlay, founder and group manager of MetaMask, wrote in a blog post that users should “remember that it is your responsibility to keep your computer secure. No wallet or software can be kept safe if the system it runs on is compromised. Please take the time to learn how to prevent a virus from being installed on your computer.”
Meanwhile, Phantom wrote in a blog post that to protect themselves on Web3, in addition to general internet security measures, users should diversify their wallets to minimize risk and use hardware wallets to store large amounts of assets and coins.
“Other mitigations include storing the mnemonic key/phrase in a hardware-based wallet like Trezor or Ledger. These wallets still work with software wallets like Metamask when physically connected via USB cable…but they protect the keys from attackers who can access your drive,” Walbroehl said.
Halborn has been rewarded with $50,000. The wallet providers did not immediately respond to requests for comment.
Get the top crypto news and information of the day delivered to your inbox every night. Sign up now for the free Blockworks newsletter.