MetaMask Security Monthly: June 2022

Security Laboratory

Endo

Support for “where are my source files” use cases complete!

We finally merged the import.meta support. Had to account for the changes made to compartment spec in the tc39 proposal also. Further changes will definitely be needed as the proposal is likely to rename a few things and drop the importMetaHook.

https://github.com/endojs/endo/pull/1141 The biggest struggle with import.meta was it’d be ignored by the babelPlugin in static-module-record if present in an export statement. It required a change to the plugin code to guarantee import.meta gets visited and transformed even if inside an already transformed export definition.

With the import.meta support, https://github.com/endojs/endo/pull/1202 could bring import.meta.url support to compartment-mapper’s importLocation functionality. The functionality is not provided in Archives as a valid behavior for it is hard to define in that context.

Meanwhile, https://github.com/endojs/endo/pull/1144 introduced the require.resolve function to the CJS implementation. It throws an error by default, but an implementation to use instead can be provided as part of ReadPowers. The external implementation can be constructed from Node’s createRequire (with limitations, preferably) or implemented as a lookup of known required values as input to require.resolve is rarely dynamic in the wild.

This completes the features planned for introducing good CJS support https://github.com/endojs/endo/issues/1055 — with a little more regression testing the issue can be closed.

LavaMoat

Yarn 3 support for allow-scripts required adding a plugin to the project to handle running yarn setup on a fresh checkout of a project protected by LavaMoat’s allow-scripts. https://github.com/LavaMoat/LavaMoat/pull/345

A new feature in policy-overrides.json — false can be used to explicitly specify an endowment should not be given. Support for this functionality includes merging overrides into the main policy correctly and using the explicit false to avoid exposing too many fields from an object. https://github.com/LavaMoat/LavaMoat/pull/341

Incident Response

HackerOne Bug Bounty Program

Our Bug Bounty Program at HackerOne is finally live! Looking for the best and brightest researchers to find a bug, log into their account at HackerOne, and submit a report.

Where is it?

Visit hackerone.com/metamask.

What are the assets in scope?

• The MetaMask Extension: You can download it at our website, or at the respective stores of Chrome and Firefox. The source code of the extension is in GitHub.
• The MetaMask Mobile Application: You can download it at the App Store (iOS) or Google Play (Android). The source code of the application is in GitHub.

What are the Bounties?

The following table maps the rewards according to severity:

CIRT Metrics Pre-HackerOne

Previously on Incident Response…

At Incident Response we can distinguish three kinds of sources: Audits, Internal, and Reporters. The last one comprises issues informed by external actors. Our preferred channel of communication was our (currently deprecated) email at security@metamask.io.

During the first half of 2022, we closed 38 tickets. Distributed by source, the majority of them are from Reporters, which are more than double the number of tickets from Audits and Internal sources combined.

Regarding the Assignees of the tickets, we find the majority of the reports go to the Extension, followed by Security-focused issues (that is, not related to any of the major MetaMask products), and then Mobile. These 3 categories amount to more than 90% of the reports. 2 issues were assigned to Product (UI) and the ConsenSys Security Team, respectively.

Of these 38 tickets, only 13 were assigned with a CVSS Score. Most of these tickets got a Medium severity (9), with 1 Critical, and 3 Low severity reports.

Regarding Mean Time to Repair (MTTR), by source, tickets coming from Reporters were resolved faster, with an MTTR of 28.53 days per issue. Observing the distribution of resolution times by source, it is noted that times converge to the minimum, with those maximum times being outliers. This trend can be perceived at the distributions of MTTR by Assignee as well.

The overall Mean Time to Repair (MTTR) for the Incident Response Team at MetaMask during the first half of 2022 is 40.39 days per report.

Communications

Method Deprecation Notice

MetaMask is deprecating two methods available in its API: eth_decrypt and eth_getEncryptionPublicKey.

The methods will still exist in the API and continue to function as they do currently: however, MetaMask no longer recommends they be used.

These methods are being deprecated because they are not as secure as they could be. There are no known vulnerabilities or exploits based on these methods; however, MetaMask is not comfortable promoting their use.

More detailed information can be found published here.

Disclosures

Clickjacking Vulnerability

MetaMask has granted a bounty of $120,000 to the United Global Whitehat Security Team (UGWST), for their responsible disclosure of a critical security vulnerability, along with a handful of less severe reports.

This vulnerability, which affected the browser extension only, consisted of the ability to run the MetaMask extension as a hidden layer on top of another website, allowing attackers to trick users into revealing their private data or sending crypto-assets without realising.

All the details are here!

Extension Disk Encryption Issue

Security researchers at Halborn have disclosed an instance where a Secret Recovery Phrase used by web-based wallets, like MetaMask, could be extracted from the disk of a compromised computer under some conditions.

• Your hard drive was unencrypted.
• You imported your Secret Recovery Phrase into a MetaMask extension on a device that is in possession of someone you do not trust, or your computer is compromised.
• You used the “Show Secret Recovery Phrase” checkbox to view your Secret Recovery Phrase on-screen during that import process. (see image)

The details outlined in the following notice do not impact MetaMask Mobile users, and only impact a small segment of MetaMask Extension users as well as users of other browser/extension wallets. We have since implemented mitigations for these issues, so these should not be problems for users of the MetaMask Extension versions 10.11.3 and later.

Read the Security Notice.