United Global Whitehat Security Team (UGWST), including René Kroka and José Almeida, has been awarded a bounty of $120,000 for responsibly disclosing a critical security vulnerability. The MetaMask team has already patched the issue for MetaMask users, as this vulnerability has not been exploited yet. As long as attackers can run the MetaMask extension layer over another website, they can trick users into sending crypto-assets or revealing private data without realizing they’re doing it.
It is possible for users to view MetaMask in two different ways: as a small rectangular window appearing from the browser bar, or as a full-page view. It is not suitable for viewing within an iframe, and should never be. Iframes are widely used features of HTML that allow the content of one website to be viewed within the context of another web page. Iframe technology by itself is not malicious or a security risk. Clickjacking is one way to trick users by using the technology in a deceptive manner.
In order to exploit this vulnerability, the user must conceal that MetaMask is open and that he is in fact clicking on it. An in-browser video game, for example, is directed to the user in this scenario. To set up the game and begin playing, the user clicks a number of buttons on the page. Rather than clicking on prompts in a video game, the user is clicking through prompts in MetaMask to send their crypto-assets to a malicious actor. However, the user hasn’t realized that the video game has imposed over it, their MetaMask extension, open in an iframe with opacity set to zero.
According to UGWST, MetaMask’s extension could be run in an iframe under certain circumstances. Using the MetaMask extension, they showed how a bad actor could use certain resources for malicious purposes.The MetaMask security team immediately applied the fix to the extension, which has been pushed out to all MetaMask users. The vulnerability has never been exploited before.Make sure you have at least version 10.14.6 of the MetaMask extension for your security. Detailed instructions on manually updating MetaMask can be found here.
Staying Safe in Web3
Security is of utmost importance to MetaMask, especially in an ecosystem where users are the custodians of their own data. MetaMask’s mission is to enable and empower users, and with that capability and power comes responsibility for their security.Whether you’re new to the space or experienced, we recommend you enable full-disk encryption to protect your data regardless of your experience level. Take a look at our Knowledge Base for some security basics.