MetaMask Security Monthly: February 2024

Over the last month, the price of ETH has been up-trending and the number of MetaMask’s monthly active users is on its way to an all-time high. Whether we’re in a true bull market or not, MetaMask is still working hard to protect users, and we have a few exciting announcements! Remember: Scammers will be targeting new users along with veterans trying to take advantage of the market.

Inventor Granville T. Woods was the first African American mechanical and electrical engineer after the American Civil War.

🦊 What We’ve Been Up To 🦊

MetaMask Security Alerts by Blockaid Now Enabled by Default for Multiple Networks

We recently integrated Blockaid-powered security alerts into our wallet app to bolster user protection across several Ethereum networks. This update, now automatically enabled for users, addresses the growing concern over malicious transactions in cryptocurrency. The integration comes after phishing attacks that resulted in over $200M lost in 2023, highlighting the urgent need for enhanced security measures. With MetaMask's user base now exceeding 30 million monthly active users, this development is a significant step towards safeguarding digital assets in an increasingly volatile market.

Even with advancements in user security, individuals navigating the web3 ecosystem must remain vigilant. Adding MetaMask security snaps would offer an extra layer of protection as transaction insights can show additional details not revealed natively in MetaMask. Phishing attempts targeting private keys and secret recovery phrases are expected to rise, as Blockaid's protections do not extend to preventing social engineering tactics. Users are advised to exercise caution and stay informed about the latest methods used by attackers to safeguard their digital assets effectively.

Here are some general guidelines to follow:

• Do not install unverified software
• Be wary of customer support impersonators in your direct messages
• Be skeptical of seemingly attractive online personas; they could be scams.
• It is never okay to share your private key or secret recovery phrase with any website or anyone online

Going Beyond The Secret Recovery Phrase In MetaMask With Account Management Snaps (Beta)

The unique 12-word secret recovery phrase that every user has historically needed to create a MetaMask wallet can sometimes be difficult to keep secret and safe. There have been a variety of advancements in account management solutions over the past few years. We're happy to announce that with Account Management Snaps, there is now a permissionless path for teams that are creating these solutions to deliver to MetaMask users.

In February, we introduced the Keyring API in the MetaMask Extension, a robust tool that empowers developers to implement their account management concepts into MetaMask, and invited users to try any or all of the first three snaps in our experimental beta: Silent Shard, Safeheron, Capsule. We eagerly await your feedback!

Introducing LavaDome

LavaDome is the newest experimental tool in the LavaMoat toolbox for supply chain security, which utilizes the ShadowDom web API. It can be used to implement frontend-only components that exclusively allow interactions with the user and trusted code, while blocking access attempts by untrusted JavaScript and CSS code in the app. The intention is to use it for “defense in depth” and protect the most critical content we display in LavaMoat-protected apps in case all other protections have been defeated.

More from LavaMoat

• Merged policy generation in LavaMoat webpack plugin. Though some features are missing from this beta release, it will be the first version that will be easy to try out.
• Laverna, a tool we’re using to avoid publishing to NPM from CI where 2FA cannot be used, has been published. It’s a small utility that only runs npm publish on packages in a workspace that actually need publishing.
• We’ll be rolling out lockdown for users with the 7.16 release of MetaMask Mobile for iOS. The SES lockdown() function is a key artifact to protect your software against supply chain attacks. By listing the primordials in JavaScript and freezing prototypes, lockdown() makes it unlikely for a malicious actor to perform a prototype pollution attack.

🎙️ MetaMask in the Security Ecosystem 🔎

Is Client Side Security Dead - or a Crucial Part of the Future?

Gal Weizman champions the often underappreciated field of client-side security in this great read.

“...I’m so proud of the JavaScript security work we do - Since the MetaMask crypto wallet is a browser extension that is theoretically vulnerable to the same threats described in the context of dapps (and even more so being the critical bridge between dapps and the Ethereum network), in order to not die, MetaMask is forever obligated to ship the most secured client-side product ever.”

MetaMask’s Bug Bounty Program is Among the Highest Payouts of Disclosed HackerOne Bounty Programs

MetaMask Application Security Team lead Nicholas Ellul was quoted by Blockworks: “We conduct thorough audits, but it’s equally crucial for us to operate bug bounty programs to maintain a perpetual vigilance over time…This approach enhances our awareness of potential risks, enables us to devise mitigation strategies and contributes to developing the industry’s most secure wallet.”

Meanwhile…

SEAL Has Been Revealed!

The Security Alliance (SEAL) made its debut on February 14. SEAL represents a joint endeavor by the cybersecurity community to enhance safety within the crypto ecosystem. It has been operating quietly for a while, leading notable efforts such as SEAL 911 (a rapid-response help desk staffed by leading security experts) and SEAL Drills (which offers attack simulation training).

The alliance has also announced its Whitehat Safe Harbor Agreement, which acts as a framework for ethical hackers and MEV bots that intervene in public security incidents. In compliance with all aspects of the agreement, they are permitted to preemptively address exploits, provided that any funds are redirected to a specified location and an active attack is in progress. You can check them out at securityalliance.org.

I'm back, did you miss me? I have some huge news!

Over the last year and a half, I've been working on something big in secret with the rest of the crypto security community. Today, we're finally ready to reveal ourselves to the world. We are @_SEAL_Org pic.twitter.com/Jho9wQDxEr

— samczsun (@samczsun) February 14, 2024

⚠️ Tales of Caution ⚠️

Drainers Exploit MicroStrategy X Account to Execute a Successful 440K Phishing Heist

Summary

MicroStrategy's official X account was hacked on Feb. 26, promoting a fake Ethereum-based MSTR token airdrop, with PeckShield alerting users to the phishing link. The incident led to about $440,000 USD stolen from users, with significant losses possibly coming from a single victim. The exploiter has begun transferring the stolen funds, leaving approximately $195,000 worth of Ethereum in their address. While the Drainer responsible for this attack has not been identified yet, many security researchers have begun labeling Pink Drainer responsible.

How Users Can Protect Themselves

Users must exercise caution when clicking on links shared on social media platforms, as even accounts perceived as trustworthy have fallen victim to hacks, resulting in significant losses of funds. It is also highly recommended to keep substantial funds in hardware wallets, while wallets used for daily transactions should contain only minimal assets. Taking these steps can help safeguard against the loss of the majority, if not all, of your cryptocurrency holdings.

Users should be aware that account takeover attacks, such as the compromise of MicroStrategy’s official X account can occur. Pausing before clicking a link or signing a transaction could protect users from fund loss incidents. Using different accounts for different transactions based on the level of risk can also mitigate against potential damages.

22+ LastPass Hack Victims Lose 6.2M in Crypto Assets

Summary

@Zachxbt and @Tayvano have identified additional victims of the LastPass hack in December 2022. Between February 19th and 20th, over 22 victims of the LastPass hack suffered losses totaling US$6.2 million. The stolen funds were quickly transferred from EVM chains to Bitcoin. Details of the theft addresses are documented in a Chainabuse report. Since the initial LastPass attack, various crypto community members, including protocol founders, investors, developers, and users who stored their seed phrases on LastPass, have experienced significant financial losses exceeding 10 million.

How Users Can Protect Themselves

If you were a LastPass user before the hack in December 2022, your digital assets may be at greater risk of theft due to compromised seed phrases or keys. We recommend transferring your balances to a new wallet. For further security, users with substantial funds should consider cold storage options such as hardware wallets, which require physical access to use their funds.