MetaMask Security Monthly: February 2023
It’s a mixed bag this month. We’re happy to share what we’ve been up to, but there are always threats out there. Whether you’re getting blasted by snow storms or relaxing on a sunny beach, we hope you enjoy our February report.
Security Laboratory
Emmett Chappelle, renowned for his work in bioluminescence.
Endo
- New approach to secure bundler - For the sake of plugging secure bundling into more existing bundlers in the ecosystem, the work gets split between two stages. One: a plugin to an existing tool (like webpack) to create a compartment map and transformed sources and save it as an app archive. Two: a bundler capable of turning an app archive into a secure bundle file. With that approach, adding support for a new bundling tool/ecosystem should require less work and be less likely to undermine the security aspects of the bundler. https://github.com/endojs/endo/pull/1449
- Added attenuation for globals in policy. The basis for full compatibility with LavaMoat policies is ready for merging and shipping in compartment-mapper. A proof-of-concept attenuator implementing ‘write’ global policy was possible to introduce on top of that implementation. https://github.com/endojs/endo/pull/1491/
LavaMoat
- Initial work on plugging into webpack to generate an Endo-compatible compartment map was started in https://github.com/LavaMoat/webpack-plugin-compartment-map
@lavamoat/snowDisabled creation of URL objects out of Blob/File to prevent bypass.
MetaMask Snaps
- LavaMoat team helped with hardening functionality that’s exposed to MetaMask Snaps.
- Research into unexpected iframe sandboxing side effects in Chrome.
The Good News
Eth_sign Disabled by Default; Toggle in Advanced Settings
MetaMask has observed a significant trend of phishing kits that abuse eth-sign to ask users to inadvertently sign malicious transactions. In the interest of striking an appropriate balance between user protection and user autonomy, MetaMask has disabled eth_sign by default but will allow you to toggle it back on in the advanced settings. You can read more about it in our extension PR.
Recently, Devin Shin, a technical support engineer for MetaMask, reported:
“I was working with a user on a security ticket and wanted to share this. They provided me with an obvious scam site which I investigated. At first, I was confused as to the vector of phishing because nothing was happening while trying to interact with the site. I checked the console logs, and it was clear that the site attempted to prompt an eth_sign txn, which failed due to the recent change. Happy to see this change having a positive effect!”
Ding Dong, The Monkey Drainer is Dead! While we can’t say for certain, this change may have contributed to the end of the dreaded Monkey Drainer NFT phishing group.
Monkey Drainer has been shut down according to its owner. I wonder why 🤔 pic.twitter.com/BZ06Y1staD
— Fantasy 🦢 (@0xFantasy) February 28, 2023
Update
📧 Namecheap/SendGrid Email Breach 🎣
You may have received an email purporting to come from MetaMask a couple weeks ago, which asked users to enter their secret recovery phrases. You also might have seen our tweet warning about the high-profile phishing attempt, and reminding users MetaMask does not collect KYC info and will never email you about your account.
We have determined that the breach did not affect MetaMask directly, but the attackers were able to send MetaMask-branded phishing emails from the NameCheap domain. NameCheap initially stated that they believed the breach to have occurred with their upstream service provider, SendGrid. They later released the following statement on their blog, though both statements seem to have been withdrawn at the time of writing this on Feb 28.
Read more from Bleeping Computer.
Tales of Caution
Google Fi hack victim had Coinbase, 2FA app hijacked by hackers Another harrowing SIM swap tale. Cell phone provider Google Fi informed the user "hackers had stolen some customers’ information, likely connected to the recent breach at T-Mobile." Things appear to have been resolved for now, but there are still many unanswered questions surrounding how safe this user's and other Google Fi customers' phones actually are. Read more from TechCrunch.
Fake Ethereum Denver website linked to notorious phishing wallet Don’t trust Google Ads! In the leadup to one of the biggest events in the Ethereum ecosystem, would-be EthDenver attendees were a prime target for scammers who went “as far as paying for a Google advertisement to promote the malicious website’s URL.” Always be certain you know the authenticity of any source you connect your wallet to, and generally avoid any sponsored Google search results. Read more from Cointelegraph.
Beware of Social Engineering
1/ This week, an organised crime unit from Rome stole $4M from one of our users.
— Trust - Crypto Wallet (@TrustWallet) February 8, 2023
It was stated, the thief ‘took a picture’ of the user’s Wallet balance to steal the funds.
We’ve done investigating into the events and believe this is how it happened…🧵👇
Keep reading our latest stories
Developers, security news, and more
