MetaMask Announces Bug Bounty for Clickjacking Vulnerability

United Global Whitehat Security Team (UGWST), including René Kroka and José Almeida, has been awarded a bounty of $120,000 for responsibly disclosing a critical security vulnerability. The MetaMask team has already patched the issue for MetaMask users, as this vulnerability has not been exploited yet. As long as attackers can run the MetaMask extension layer over another website, they can trick users into sending crypto-assets or revealing private data without realizing they’re doing it.

Background Information


It is possible for users to view MetaMask in two different ways: as a small rectangular window appearing from the browser bar, or as a full-page view. It is not suitable for viewing within an iframe, and should never be. Iframes are widely used features of HTML that allow the content of one website to be viewed within the context of another web page. Iframe technology by itself is not malicious or a security risk. Clickjacking is one way to trick users by using the technology in a deceptive manner.


In order to exploit this vulnerability, the user must conceal that MetaMask is open and that he is in fact clicking on it. An in-browser video game, for example, is directed to the user in this scenario. To set up the game and begin playing, the user clicks a number of buttons on the page. Rather than clicking on prompts in a video game, the user is clicking through prompts in MetaMask to send their crypto-assets to a malicious actor. However, the user hasn’t realized that the video game has imposed over it, their MetaMask extension, open in an iframe with opacity set to zero.

UGWST’s Discovery

According to UGWST, MetaMask’s extension could be run in an iframe under certain circumstances. Using the MetaMask extension, they showed how a bad actor could use certain resources for malicious purposes.The MetaMask security team immediately applied the fix to the extension, which has been pushed out to all MetaMask users. The vulnerability has never been exploited before.Make sure you have at least version 10.14.6 of the MetaMask extension for your security. Detailed instructions on manually updating MetaMask can be found here.

Staying Safe in Web3

Security is of utmost importance to MetaMask, especially in an ecosystem where users are the custodians of their own data. MetaMask’s mission is to enable and empower users, and with that capability and power comes responsibility for their security.Whether you’re new to the space or experienced, we recommend you enable full-disk encryption to protect your data regardless of your experience level. Take a look at our Knowledge Base for some security basics.

Related Posts

Elon Musk is correct: Web3 is nonsense

I’ll be honest, I am not a big fan of Elon Musk. Despite running unprofitable companies, he became a billionaire by being an ignorant, narcissistic, reckless, self-indulgent…

How to Build Your Own Bitcoin Node

Getting Started Welcome, fam. If you’re here, I think you’re in for a really awesome ride. I’m going to teach you how to build your very own…

My journey to becoming a crypto algorithmic trader

A trading algorithm is simply a set of instructions that a computer can use in order to execute automated trades. In such a case, “buy Bitcoin when…

Everything You Need to Know About ETH2.0

How does ETH2 affect me or MyCrypto? It is primarily a change in Ethereum’s infrastructure that is being upgraded. The ETH2 network will be completely compatible with…

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.