MetaMask Security Monthly: July 2022

GM, GA, GE, or GN, wherever you are! Here’s the latest from our Security Laboratory, some new bounty program stats, and a few things to help you keep security top of mind!

by MetaMaskJuly 29, 2022
Security report july

Security Laboratory

Endo

CommonJS support gaps have been filled!

Final fixes for CommonJS support in Endo landed, and https://github.com/endojs/endo/issues/1055 is officially closed. Work on the TC39 module spec changes prompted questions about virtualized module loaders being able to bring in CommonJS modules with specific requirements about getters and setters. Some research in that area may prompt further changes to CommonJS support in Endo or make Endo’s CommonJS support serve as prior art for the spec.

LavaMoat

LavaMoat introduces new experimental tools for creating more secured browser-based technologies!

As part of LavaMoat’s mission for creating tools with which developers can better secure their javascript-based technologies, today LavaMoat introduces Securely, Snow and Across. All three unlock new possibilities for defending technologies by introducing new capabilities that were never possible before, while taking into consideration the very sensitive ecosystem we know as the browser.

Securely 🔒

With Securely you can preserve exclusive access to native functionalities within the web app and safely access native APIs while resting assured any tampering made to those APIs cannot affect your technology.

In other words, if in your program you need to use fetch but are worried that it might have been tampered by a third-party JS code running in the same context as your code, with Securely you can access the original fetch API and avoid any potential tampering.

With Securely you can defend your code against attacks such as prototype pollution and MITB.

check out Securely’s demo and source code

Snow ❄️

With Snow, you can obtain exclusive first access to all newborn windows within the web app.

By providing Snow with a single callback, Snow will make sure to call it with every new window that is attached to DOM before granting access to its creator.

Creating iframes in order to access their new realms to get a hold on freshly new APIs is a common practice by attackers. However, by using Snow you can apply the security policy that you applied in the top window to every new window that is created, and thereby disarm attackers from abusing such techniques.

Beyond its security aspect, Snow helps you to shape every new realm that comes to life within your web app the way you want it to look. And you can rest assured it’ll do so for every new window no matter how it’s created, thanks to Snow’s focus on covering all possible ways of doing so.

Snow is built on top of Securely in order to prevent attacks against it.

check out Snow’s demo, source code, and further documentation

Across 🔁

With Across, you can for the first time establish a fully secured communication channel between two scripts that are attached to the same DOM based on their source URL.

As of today, there is no way for two scripts within a browser web app to exchange information that will be accessible and visible only to them and not to any other script.

By using Securely and Snow security capabilities, Across unlocks the ability for scripts to share sensitive information with one another in the client side without the need for a server-side entity, and without worrying a third party within the webpage might endanger their communication channel!

check out Across’s demo, source code, and further documentation

We believe the three can be used to create safer browser-based technologies that are less vulnerable to today’s javascript security threats, and to also unlock new powers for creating strong and secured technologies on top of them.

We encourage you to learn more and hopefully help improve these tools and rely on them, as at the moment they are still considered to be experimental.

Incident Response

Thanks to everyone who has been participating in our Bug Bounty Program at HackerOne! If you’re interested in contributing, please visit https://hackerone.com/metamask.

As a reminder, the assets in scope are the MetaMask Extension (source code), which can be downloaded at our website, and the MetaMask Mobile Application (source code), which can be downloaded from the App Store (iOS) or Google Play (Android).

The following table maps the rewards according to severity:

severity

This month, we’ve thanked 10 wonderful hackers whose reports have led to helping us make MetaMask more secure for everyone! The average payout for valid reports was $500, as many of these were informational and, while they were helpful, were not quite in scope to meet our vulnerability threshold.

hackerone ticket july 2022

Cautionary Tales

Our very own Harry does a deep dive into filtering ERC20 names for abuse:

As well as a malicious tutorial on flashloans that exploits users:

User Education

Enjoy this teaser from the latest MetaMask support article on how to avoid NFT scams, and then go read the rest of it!

Discord, Twitter, and Telegram are some of the main platforms NFT projects use to build out their communities and share information on mints, events, marketplace activity, and more. Scammers have noticed this and are always seeking new ways to exploit community members for their holdings.”

Thanks for reading, and we’ll see you next month. Stay vigilant!!

Receive our Newsletter