Key facts:
The browser version of Metamask could be used on other sites without the user’s knowledge.
There were no affected by the vulnerability, and the developers have already fixed it.
Ethereum wallet Metamask announced the discovery and fix of a vulnerability that could have cost its users dearly. The find was from the United Global Whitehat Security Team (UGWST) organization, which received a $120,000 reward from the wallet’s developers.
According to a publication from Metamask on Medium, no users were affected by this vulnerability, which took the method clickjacking or “clickjacking”. The strategy consists of camouflaging malicious code on a site so that the user clicks on it without realizing it. For example, if you fall into the clickjackingby clicking “Play” on a video you could be conferring access to your funds in a wallet.
Also, Metamask reported that its developer team has already fixed the problemwhich only affected its browser extension and not the mobile app.
As detailed in the article, the vulnerability gave the possibility to execute Metamask as iframe (i.e. as a box within another website) but with opacity set to zero so that it is not visible. Therefore, the user might not notice that her wallet was open while browsing another site apparently unrelated to her.
In this waythe attackers could have collected private information about the accountsor even trick users into inadvertently approving fund transactions.
Precisely what UGWST warned the Metamask developers is that, under certain circumstances, they could make the wallet work as iframe. Therefore, this could be exploited by hackers to steal other people’s accounts or funds.
To prevent this type of malicious practice, Metamask recommended its users to update the application and always use the latest version available. Currently, it is version 10.14.6. Recently, in addition, the company had launched support for victims of scams that is available to all its users, as reported by CriptoNoticias.
Bug finders can earn rewards
Delivering money rewards to those who collaborate in discovering errors or vulnerabilities in code is not an exception that Metamask has made on this occasion. On the contrary, it is a common practice.
Recently, CriptoNoticias reported on an Ethereum Foundation program for those who discover flaws in the network. In the last edition, the fourth of the year, rewards of up to USD 250,000 were offered.
UGWST had collaborated with other companies before
In its websiteUGWST presents itself as “a private group of experienced and highly qualified security researchers” who They work with various companies around the world to improve the security of their applications, networks, and code.
The main purpose of this organization is to discover potential security threats before hackers do. Its main members are René Kroka, José Almeida, Edward Barnhill, Jay Rahman and Justin Ash.
Among the companies in the world of cryptocurrencies that UGWST has audited, in addition to Metamask, OpenSea, Crypto.com, Wormhole and Lido stand out. There are also others in the software and technology field in general, such as Microsoft, Apple, Steam and Reddit.