- Blockchain security firm Halborn discovered the bug, which allows a criminal to hijack a user’s secret recovery phrase.
- Affected users are those who use the wallet on their computer with servers running operating systems such as macOS, Linux, and Windows using Google Chrome, Firefox, or Chromium-based web browsers.
- To fix this configuration error, MetaMask asked to install an update to version 10.11.3.
The greatest fear of a cryptocurrency holder is not the abrupt drop in price, as has happened in recent days, but the fact that their digital assets are at risk of being hacked.. Metamask, one of the most secure wallets on the market, announced a new vulnerability and alerted its millions of users.
In order not to panic, it must be made clear: only a very small part of the owners of a wallet MetaMask is at risk. However, that does not remove the possibility of one being the one to lose the funds to hackers.
Hackers could get hold of your seed
Blockchain security firm Halborn discovered the bug, which allows a criminal to hijack a user’s secret recovery phrase. In conclusion, the intruder will have access to the funds.
To be subject to this “error”, the MetaMask user must meet three conditions. Bitcoin Mexico describes them below:
- The user must have imported the recovery passphrase from the MetaMask web extension to a compromised device.
- The user must have been using the virtual wallet extension from an unsecured computer.
- The user must have used the “show recovery secret phrase” checkbox during the import process.
To assist those who believe their wallet may be compromised, the largest virtual wallet provider has put together a guide. Those who wish to migrate their funds will have to pay the corresponding fees. In the case of the Ethereum network, these can be quite high despite the bearish context that is currently being experienced.
It is worth noting that Metamask allows a large number of other blockchains, such as Fantom, Binance Smart Chain or Moonbeam, just to name a few of the best known on the market.
“Assets under the Ethereum ETC-20, ERC-721 (NFTs) and ERC-1155 standards should be a priority”revealed Bitcoinist. As Metamask continued: “If your account has been compromised, a sweep bot may have been placed on it. In this case, as soon as you transfer tokens, they can be transferred to the attacker’s address.”.
Compromised users are not mobile users, but only macOS, Linux, and Windows users using Google Chrome, Firefox, or Chromium-based web browsers. Metamask, to correct this configuration error, requested an update to version 10.11.3.
Reward for finding the bug
Following Halborn’s discovery, which was considered a critical error, the company paid him $50,000 as a reward. This bonus is part of the program called HackerOne in which “works with the security community to find vulnerabilities in the wallet and anticipate Web3 threats”.
HackerOne has four levels with different prizes. For those discoveries where the vulnerability is low, there will be a payout of $1,000, the media will get $2,000, the high will pocket $15,000, while critics will get five times as much.
If you think your wallet may have been in danger, better open a new one, pay the corresponding fees and sleep more peacefully, right?