Critical Vulnerability Found That Could Put 21M Metamask Users’ Data at Risk


According to recent research, Metamask crypto wallet users could be at risk of losing all their digital assets or even physical threats. Security analyst and cryptographer Alexandru Lupascu, the co-founder of OMNIA protocol, found this vulnerability in the popular Web 3.0 wallet.

How much harm can we do?

Lupascu discovered that a malicious party can simply create a non-fungible token (NFT) and obtain a user’s IP address by transferring free ownership of digital art. A hacker would need to spend as little as $50 to attack someone’s privacy. He mentioned, “Don’t underestimate the risk associated with IP leaks.”

Lupascu added that “if malicious actors derive more information from the IP address (think geolocation, GSM carrier, etc.), they can turn it into physical risks, such as kidnapping.”

Additionally, this attack can be more “devastating than a Distributed Denial of Service (DDoS) attack,” according to the cryptographer. For a simple comparison, this attack can be eight times more powerful than the Mirai botnet attack in October 2016 which took down Twitter, Reddit, Spotify, GitHub, Netflix, Airbnb and many other popular websites.

Alexandru published a complete tour of how the attack is done, from minting an NFT to transferring it to the victim to getting the IP address and lastly, compromising privacy or even stealing their crypto assets. He tested this attack on the iOS Metamask app version 3.7.0, but it might also be the same for the Android version. He minted an NFT on OpenSea, the largest NFT marketplace, and edited the ERC-1155 standard smart contract with the Remix Ethereum IDE.

They fixed it?

According to Lupascu, he found and addressed the security flaw to the Metamask team on December 14, 2021, but they overlooked and responded to fix this issue by Q2 2022. He said, “For us, it is unacceptable to leave such a large user base at risk for so long, especially if this was known in advance, as they say.

After this research was shown to the public, Daniel Finlay, who is the founder of Metamask, admitted, “I think this issue has been widely known for a long time, so I don’t think a disclosure period applies.”

Finlay added: “Alex is right to call us for not addressing him sooner. Start working on it now. Thanks for the kick in the pants, and sorry to need it.

Not to forget, ConsenSys, Metamask’s parent company, raised $200 million with Metamask surpassing 21 million monthly active users in Nov 2021. The most popular crypto wallet is also used as a gateway to 3,700 Web 3.0 decentralized applications (dApps).


Read Previous

5 Reasons You Should Buy Bitcoin

Read Next

Fantom Finally Surpasses Avalanche by TVL, Who’s Next?

Leave a Reply

Your email address will not be published. Required fields are marked *

Right Menu Icon