MetaMask, Phantom and Other Browser Wallets Patch Security Vulnerability

There is no evidence the vulnerability was ever exploited by attackers, meaning no user funds are believed to have been impacted.

AccessTimeIconJun 15, 2022 at 4:00 p.m. UTC
Updated May 11, 2023 at 6:14 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

MetaMask and Phantom, two of the largest crypto wallet providers, disclosed in blog posts Wednesday they recently patched a security vulnerability that could have exposed sensitive login credentials to users with compromised devices.

The wallet providers say there is no evidence the vulnerability was ever exploited by attackers, meaning no user funds are known to have been affected.

MetaMask and Phantom – which discovered the bug based on a tip from blockchain security firm Halborn – informed at least 10 other browser-based hot wallets that they contained the same vulnerability. The full list of impacted – and patched – wallets is unclear at this time.

Although the vulnerability came with a narrow attack vector and there’s no evidence of it ever having been exploited by hackers, it highlights the inherent security risk of internet-connected hot wallets compared to more secure – albeit less-convenient – hardware wallets.

Should you be concerned?

MetaMask and Phantom are not recommending that most users take any action other than to update their browsers in order to ensure the wallets they are using are running the most up-to-date software versions.

According to the blog post from MetaMask you should only be concerned if you match all of the following conditions:

  • Your hard drive was not encrypted
  • You imported your Secret Recovery Phrase into a MetaMask extension on a device that is in possession of someone you do not trust, or your computer is compromised
  • You used the “Show Secret Recovery Phrase” checkbox to view your Secret Recovery Phrase on-screen during that import process

“If your computer is not physically secure from people you do not trust, we recommend you enable full disk encryption on your system,” according to the MetaMask blog post. “Additionally, you are not affected by this if your funds are managed by a hardware wallet.”

Phantom’s blog post largely echoed that of MetaMask.

In its blog post, MetaMask outlines steps that users should take to move to a new wallet if they believe their credentials could have been compromised.

Halborn, which was rewarded a $50,000 bounty for disclosing the bug, recommended most users swap over to a new wallet address out of an abundance of caution.

Steve Walbroehl, Halborn’s co-founder, told CoinDesk, “Just given the fact that this is something that has been around for so long, you don’t know who possibly could have gotten [exploited]. Maybe you clicked on a bad phishing email and they have access to your machine. Maybe somebody took it before even though you’ve now upgraded. I just think out of an abundance of caution, given the criticality, it’s better to just change it.”

He continued, “My number one recommendation is to just get a hardware wallet.”

How it happened

The vulnerability resulted from a quirk in the javascript programming language that sometimes led to a user’s secret recovery phrase being stored in a user’s local memory for some period of time (exactly how long is unknown and likely varies by device).

If a user entered this phrase on a compromised or otherwise untrusted device, an attacker would have had the ability to swipe it from memory if he or she knew exactly where to look (or, more likely, had a specialized tool for the task).

A secret recovery phrase – also called a seed phrase or mnemonic phrase – is a series of 12 words that users receive when they set up a smart wallet, and it serves as a master key should users ever need to recover their wallet or set it up on a new device.

If a person’s secret recovery phrase falls into the hands of someone malicious, it could be used to seize full control of the person’s funds.

MetaMask was informed of the bug in July 2021 and issued a patch in March of this year. Phantom learned of the bug in September 2021 and issued several patches to address the issue between January and April 2022.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Sam Kessler

Sam is CoinDesk's deputy managing editor for tech and protocols. He reports on decentralized technology, infrastructure and governance. He owns ETH and BTC.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.