MetaMask Security Monthly: July 2024

Argentine biochemist César Milstein won a Nobel Prize in 1984 for his antibody research.

🎙️ MetaMask in the Security Ecosystem 🔎

MetaMask’s HackerOne Bug Bounty Program Takes the Cake!

MetaMask's bug bounty program (BBP) got a shout-out from both HackerOne founders for setting a great example to others. This was due to our quick adoption of new policy improvements like Open Scope, which rewards reports for all our assets based on impact, and Fast Payment, ensuring we pay out within a month of receiving a vulnerability report. Our program has been going from strength to strength, with some impressive stats over the last 90 days: 120 reports received, an average time from submission to bounty of 3 days and 15 hours, and a total of $266,000 paid out to date. This showcases the incredible success we’ve been having, and we would like to thank our community of talented hackers such as pkkr, imnarendrabhati, p1security, Nicocha30, T41nk**, René Kroka, renniepak, hackerOnTwoWheels, and redyetihacks. MetaMask BBP is the best BBP!

Want to help make MetaMask more secure? Report any vulnerabilities you find to us at https://hackerone.com/metamask.

Today @Hacker0x01 is launching a big improvement to program policy pages, providing structure and remove ambiguity! Here’s a great example from @MetaMask: https://t.co/HlGJrfMEhx.

— Jobert Abma (@jobertabma) July 15, 2024

That was fast. Within hours of publicly releasing the new Program Declarations, @MetaMask has already adopted the Open Scope and Fast Payment declarations. Great programs move with a high sense of urgency! https://t.co/yAltRp1smQ pic.twitter.com/ERfs67AKE6

— Michiel Prins (@michielprins) July 15, 2024

Zbyszek Tenerowicz Talks Defensive Coding at x33fcon

MetaMask Security Lab’s Zb is at it again! In June, he attended x33fcon: a “gathering for IT security professionals and enthusiasts” where “red meets blue.” He gave a lightning talk and hosted a workshop on defensive coding. This is just the latest in his quest to evangelize the importance of supply chain security - which is the core focus of LavaMoat. Videos for his talk and an interview are up now.

Gal Weizman at Microsoft’s BlueHatIL and OWASP Lisbon Global AppSec Conferences

Gal, also from MetaMask Security Lab, has been making the rounds to discuss DOM isolation and present the work his team is doing around the LavaDome project. He has also been examining how the difference between security for centralized architecture and decentralized architecture forces the industry to push the boundaries of web application security. And, of course, LavaMoat.

In addition to these talks, Gal is happy to report that an Realms Initialization Control proposal that MetaMask presented has been approved to be incubated by the Web Incubator CG community. Implementing this should eventually translate into a native browser-level solution for the same origin concern which was attempted to be solved by the SNOW project originally - an important initiative which will help secure a complex security concern that holds MetaMask back - as well as the rest of the world - when it comes to client side web security.

Understanding Lazarus: The Real Threat to the Crypto Industry

Taylor Monahan breaks down how members of the DPRK advanced persistent threat (APT) group TraderTraitor uses spearphishing tactics to target employees of crypto companies and steal millions. If you work in the industry at any level, in any position, consider yourself at risk.

“Instead of thinking you're invincible: Eliminate single points of failure Use hardware wallets / hardware MFA Don't run/build code from strangers Use diff devices for talking vs accessing crypto Don't judge Learn from other's mistakes Educate those around you STAY SKEPTICAL!”

Meanwhile…

Schadenfreude for Attack on Pink Drainer

The infamous Pink Drainer group recently fell victim to an "address poisoning" scam, losing around $30,000 worth of Ether. In this scam, the victim is tricked into sending funds to a fake address that closely resembles a legitimate one. MistTrack, a cryptocurrency compliance firm, reported the incident, noting the irony of scammers being targeted by other scammers. Pink Drainer had only just announced its retirement in May, having previously stolen millions from crypto wallets. It's tough to feel bad for them.​

Ethereum.org Mailing List Breach and Draining Attack

On July 2 Ethereum reported that their mailing list was compromised, exposing over 35,000 users to a phishing attack. The attacker sent an email posing as a collaboration with Lido DAO, directing recipients to a website that promised high returns on staked Ethereum, but in reality was a drainer site. The Ethereum security team quickly blocked the attack, alerted the community, and submitted the malicious link to blocklists. No losses were reported, and Ethereum is now migrating some email services to enhance security.

⚠️ Tales of Caution ⚠️

Threat Actor Exploits Vulnerability in Squarespace to Conduct Account Takeovers

Summary

Researchers discovered that weak security defaults in Squarespace's domain registration process allowed attackers to hijack domains. The vulnerabilities included insufficient verification steps and the ability to change domain settings without proper authentication. These flaws enabled attackers to take control of domains, redirect traffic, and potentially steal sensitive information. The incident highlights the importance of robust security practices in domain management to prevent such hijacks. In Squarespace’s post-mortem incident, they cited weaknesses related to OAuth as the cause of the incident and claimed to have fixed the issue. They also reported no additional account compromises related to the issue.

How Users Can Protect Themselves

Users should harden their Squarespace accounts by enabling two-factor authentication and removing other contributors. Further, owning domains from registrars that allow hardware tokens for two-factor authentication may provide greater account security. You can also read another full incident report from our friends at Blockaid.

After spending the last four days helping teams recover and secure their Squarespace domains, we believe the vulnerability has finally been patched

A big thank you to @tayvano_, @AndrewMohawk, and numerous others for jumping in and saving the dayhttps://t.co/bP4MW1rXFg

— samczsun (@samczsun) July 15, 2024

Wazir US$240 Million Fund Loss Incident

Summary

WazirX experienced a cyber attack on one of its multisig wallets, resulting in a loss of over US$230 million. The wallet, managed with Liminal's digital asset custody services, required multiple signatories for transaction approvals, including three from WazirX and one from Liminal. The attack exploited a discrepancy between the data shown on Liminal's interface and the actual transaction contents, likely replacing the payload to transfer control to the attacker.

How Users Can Protect Themselves

Following the incident, Wazir halted withdrawals as the scope of the incident was assessed. Users are reminded that custodial solutions that store their crypto can control withdrawals, unlike non-custodial solutions. Wazir is promoting a bounty to help identify, track, and recover the stolen funds worth up to US$23 million.

Rise of Cryptocurrency Job Scams

Summary In June 2024, The Federal Bureau of Investigation (FBI) released a public service warning about cryptocurrency job scams, where fraudsters pose as legitimate employers to lure victims into fake job opportunities. This month, the agency followed up with a more in-depth look into how these scams work and what to look out for. They often involve convincing victims to set up cryptocurrency accounts or transfer funds, ultimately stealing their money. The FBI advises job seekers to be cautious of unsolicited job offers, verify the legitimacy of employers, and avoid sharing personal or financial information with unverified sources. Victims of such scams are encouraged to report the incidents to the FBI's Internet Crime Complaint Center (IC3).

How Users Can Protect Themselves

Users should express increased scrutiny of financial opportunities, such as jobs requiring them to provide initial funds, jobs that cannot be verified independently, or jobs that appear randomly. Users should avoid downloading unknown files and attempt to verify the authenticity of the persona engaging with them before continuing the conversation. Although this public service announcement is focused on scammers exploiting victims through work related to crypto, users should also be aware of attacks during the interview process and insider threats.