Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.
November 2022 saw LavaMoat roll Snow and global scuttling into production for all users, including MetaMask Extension, alongside a quadruply-backflipped SES build, Node.js domain taming, and an initial bin confusion mitigation, while Endo prototyped a general-purpose bundler and the Threat Intelligence Team started a STIX-based DeFi incident database. On the community side, MetaMask shared Kumavis's Devcon talk on JavaScript supply chain security, Gal Weizman made the case for integrating Snow into the extension, and a Twitter Space explored how Snaps can strengthen self-custody in the wake of the FTX collapse. Cautionary tales rounded out the month: Google Ads and Google Sites phishing, a malicious Chrome extension pushed through fake Flash Player updates, and Telegram trading bot scams. The full breakdown is below, but first...
Featured STEM pioneer: Daphne Oram, electronic music pioneer and co-founder of the BBC Radiophonic Workshop
Daphne Oram (1925–2003) co-founded the BBC Radiophonic Workshop in 1958 and pioneered the technique she called Oramics, drawing shapes directly onto film to synthesize sound. Her work translating hand-drawn patterns into precise signals prefigured the kind of signal-and-pattern thinking that underpins how self-custodial wallet software verifies data. Oram spent her career insisting that highly technical tools could be made expressive and accessible to non-specialists.
LavaMoat rolls out Snow and global scuttling to the MetaMask Extension
November 2022 marked a significant production rollout for LavaMoat. Snow (recursive iframe and realm security) and global scuttling (removing original global references after policy-based capture) shipped for all LavaMoat users, including MetaMask Extension. A "quadruply backflipped" version of SES with several powerful updates was introduced into LavaMoat for the upcoming release, including domain taming in Node.js—notable because some packages still use Node's long-deprecated domain module. The initial version of bin confusion attack mitigation was merged into @lavamoat/allow-scripts, to be available behind a flag in the next release. A new CLI for setting up all LavaMoat tools in a repository through a few guided questions was also in development.
Endo prototypes a general-purpose bundler on its compartment mapper
The Endo project experimented with using Endo to power a bundler, building a proof-of-concept general-purpose bundler on top of its compartment mapper. The work triggered a range of features and improvements across the Endo codebase, including a fix to a bug in how named reexports are handled.
MetaMask threat intelligence team builds a DeFi incident database on STIX
MetaMask’s Threat Intelligence Team began work on a standardized data store for incidents in the decentralized finance (DeFi) space. The records use the STIX (Structured Threat Information Expression) language, aiming to serve as a source of truth that provides insights to both specialists and enthusiasts tracking DeFi security incidents.
MetaMask co-founder Kumavis shares JavaScript supply chain security talk at Devcon 2022
MetaMask’s own Kumavis presented a Devcon 2022 talk called The Attacker is Inside, on JavaScript supply chain security. He explained how software supply chain attacks work in the JavaScript and crypto ecosystems—where every project builds on shared open source—and how MetaMask’s free, open-source LavaMoat tool that protects users and their wallets.
Gal Weizman makes the case for integrating Snow into the MetaMask Extension
LavaMoat contributor Gal Weizman published "Integrating Snow into MetaMask", arguing for deploying the Snow browser security technology directly into the MetaMask browser extension. Snow enforces recursive realm ownership across all iframes, closing the attack surface where newly created browser realms are used to reach untampered API references and bypass policies applied to the top-level window.
In the wake of the FTX collapse, a Twitter Space hosted by MetaMask brought together Christian Montoya (MetaMask), Zen Yong (Web3Auth), and Chirag Titiya (Biconomy) to discuss how permissionless innovation through MetaMask Snaps can help users take control of their own funds and better protect their Secret Recovery Phrases. As Zen Yong put it, the FTX event "could have had less of an impact on crypto in general if more people were to [practice] self custody." Montoya noted that the goal is to let developers build new account management options into MetaMask—giving new users easier, safer choices that reduce the risk of losing a key or having an account compromised.
Google Ads and Google Sites used to host crypto wallet phishing pages
Phishing campaigns continued to abuse Google infrastructure to target crypto wallet users. The Verge previously documented how phishers use Google Ads to trick people out of their crypto, and users should also watch for URLs beginning with "sites.google." As Mashable reported, scammers have also found success building phishing websites on Google Sites, copying the designs of trusted websites to trick people into entering sensitive information.
Malicious Chrome extension spreads through fake Adobe Flash Player updates
BleepingComputer reported on a malicious Chrome extension that gives attackers remote control of a browser. The extension is not available on the official Chrome Web Store and is instead circulated through alternative channels, such as websites pushing fake Adobe Flash Player updates. The takeaway for users: avoid installing browser extensions or "updates" from unofficial sources.
Telegram trading bot scams put wallet keys at risk
Warnings circulated on social media in November 2022 about malicious activity on Telegram and trading bots. Twitter user Big D flagged a Trojan spreading through Telegram that could download to a phone through an easy-to-miss automatic setting, while another analysis examined how users’ Private Keys can be exposed within trading bots. The adoption of trading bots is rising,but granting them wallet access can put funds at risk.
MetaMask's November 2022 Crypto Security Report covered LavaMoat's production rollout of Snow and global scuttling to the MetaMask Extension, a Twitter Space on how MetaMask Snaps can strengthen self-custody in the wake of the FTX collapse, and cautionary tales spanning Google Ads and Google Sites phishing, a malicious Chrome extension, and Telegram trading bot scams. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.