Metamask Fixes Bug Enabling Hackers to Extract Seed Phrases from Web Extensions Versions 10.11.3 and Above

Security experts from Halborn have found an example where a user’s seed phrase of web-based wallet extensions like Metamask was left unencrypted. However, the instance only puts those using the Metamask extension versions below 10.11.3.

Some Wallet Extensions Pose a Risk to Users’ Crypto Keys

Halborn Blockchain Security researchers have found a way in which hackers can extract seed phrases from a disk of a hacked computer. The breach involves web-based wallet extensions, such as Metamask; they said those with versions 10.11.3 and above are not at risk. Moreover, the experts pointed out that the breach scenario doesn’t affect Metamask Mobile wallets.

The security experts acknowledged that aside from Metamask, other web-based wallets could also face the vulnerability. Nonetheless, they gave three situations that could put a user’s crypto keys at risk. 

The first is if you have an unencrypted hard drive. The second is if you imported the recovery phrase to the Metamask web extension using a device that is not in your possession. Lastly, if you checked the ‘Show Secret Recovery Phrase’ checkbox to see your keys as you are importing them.  

The Affected Parties

According to Halborn, all desktop OS and browsers, Metamask extension versions before 10.11.3 on every browser, Windows, Linux, macOS, Firefox, and Chrome are not safe. The vulnerability has a high risk to those whose devices have been hacked as they are importing their seed phrases to web wallet extensions.

A web developer working for Metamask has provided ways to mitigate the issues, giving the following statement:

“If your computer is not physically secure from people you do not trust, we recommend you enable full disk encryption on your system. Additionally, you are not affected by this if your funds are managed by a hardware wallet.”

A password manager startup, 1Password, shed light on the report saying,

“This is a well-known issue that’s been publicly discussed many times before, but any plausible cure may be worse than the disease.”

The team at Metamask believes using a password manager could help protect you from such breaches, although the managers are not 100% safe.

AMD and Intel CPUs are also Vulnerable

As reported yesterday by crypto.news, hackers can leverage a vulnerability on AMD and Intel CPUs to steal a user’s seed phrase. Via a side-channel glitch called Hertzbleed, hackers can make away with private keys by looking at the power signature as cryptographic processes occur. Intel described the extent of the vulnerability, saying the attack could take place on servers remotely.

Intel revealed that all its modern models are at risk, while AMD said Alton, Ryzen, and EPYC versions are susceptible. The startups provided a way to shield users from the breaches, which involved disabling computer frequency scaling. However, the actions, as explained by the companies, could cause extensive damage to every CPU’s performance. AMD gave further insight into the matter, saying,

“As the vulnerability impacts a cryptographic algorithm having power analysis-based side-channel leakages, developers can apply countermeasures on the software code of the algorithm. Either masking, hiding or key-rotation may be used to mitigate the attack.”