Bitcoin Forum

    Hi all . re: m.mask security ...... if you have very small/low risk funds in m.mask wallet , as recommended , but from a phishing/hacking perspective , you have : connected sites : to wallet , does this mean if wallet is accessed by hacker that they can then access connected sites ?

How I see it, shouldn't you be more worried about your wallet being accessed through a vulnerability in the connected websites, that the other way around?
AFAIK, a vulnerability on either side can lead to a breach into the other; so if your wallet is accessed by a hacker they can gain access to connected sites. Also, if you link your wallet to a malicious site, it could lead to a breach in your wallet security.

Nothing can be stolen from you until you hit to get a transaction processed.

It's a good idea though not to connect to anywhere you don't trust/doesn't have a big audience and will stop you from making that mistake.

Revoke Smart Contract Allowance with unrekt.net (https://bitcointalk.org/index.php?topic=5336032.msg56961395#msg56961395)

On some web3 sites, you will have to connect your wallet and approve access to its key to make transactions. The approve step is dangerous and hacker can use that access to steal your money. If you have an active wallet with history of transactions, you will see there are some hidden (in grey color) tokens that airdropped to your wallet. Their tokens are unverified and I can tell you most of unverified tokens by block explorers (Etherscan.io or bscscan.com) are scam tokens.

You should revoke smart contract allowance to avoid unwanted access to your fund. If you ever click on unverified tokens, give them access, you should move your fund to a new wallet with new mnemonic seed as soon as possible.

If wallet itself is accessed, you are pretty much done for. Connected site or anything else becomes irrelevant.

However, no one can gain access just because you have wallet connected to some site.

If your private keys or seed phrase have fallen into the hands of a phishing site scammer then, yes.  If they have been compromised any and all coins, tokens, and accesses privileges are now within reach of the scammer.  Everything!  

There are many scams out there that imitate legit sites, if you remain diligent you'll stay safe.  Don't trust any site that aske for private keys or seeds.  If you really want to remain safe, learn how to verify stuff with GPG (https://bitcointalk.org/index.php?topic=4059348).

Yes of course it is. Once they can get the tokens orbany valuable coins on your wallet ofcourse they can access the connected site with your wallet. That includes your play2earn games or any platform connected with. I assume you have a game or apps that has valuable nft or funds that you ought to scared to get stolen am I right?

Connect to the legit websites and always know that your wallet is vulnerable at the moment because you make another party to have access to know more about your wallet. Hackers are very wise and tricky, in the process, it is possible that your seed phrase can be revealed and if your seed phrase is known, nothing else needed to compromise your wallet. But just that I do not know much about altcoins but I know we should avoid hackers, if you connect to their site, consider your coin gone.

Some security tips for you are :

1) Don't click on some links you see over the internet that could inject malware in your system gaining access to your wallets.

2) Never share you seeds and keys with anyone and if anybody is asking you to enter it then it's scam stay away from it.

Your security lies in your hand and if you are not letting anyone compromise it then you are safe because the scams you will see on the net happens usually due to our carelessness of giving away our wallet access to the hackers.

Well nothing will hack if you don't store a big amount on your Metamask wallet, just separate them into different wallets. If you will use your Metamask on exchange --use a dummy Metamask account to connect to the exchange API and separate it into your main account which is where the big amount is stored. Yes --scammers can access your Metamask wallet if you will linked to them and have a transaction.
I suggest keeping your seed and keys stored offline and never store in the device that you usually use.

thank you very much for all your time /help/

The hacker only can access your account only 3 option as far as i knothen

first option is by knowing your private key by this mean he have full access of your account

Second option is through smartcontract this is little bit tricky when you approve unverified smart contract and give him access they can send busd or pretty much anything legally and then poof your money was gone this usually people dm try to give you free nft or free million dollar of money through their app

And last third option is simple the hack your computer and know whats password is and will go like the first option

The hacker can only have that idea on which websites your metamask is/was connected if he's going to manually check all of the transactions that came in and out from that address.
Usually, there's the website and name of that address e.g Binance and other websites that have that label on their smart contract addresses. Why are you so concerned about that? And yes, the hacker can connect to those websites since they'll have your metamask private keys and for example, you've been totally hacked.

The hacker can also know which websites/services your metamask was connected to from the "Connected sites" menu on your metamask app (3 dots - > Connected sites). But this is possible only if he has access (be it physical or remote) to your wallet app on your device. If he has restored the wallet using its seed then the onbected websites menu will be empty.
This is why it's a good practice to always disconnect from the website after finishing your work on it and remove it from your wallet history.

Thanks to that addition. This is now me getting more curious if OP is in a situation that has led him in asking this question and needs to take action quickly.
But since he has said thanks to everyone, things are probably solved and clear to him now. This topic is actually good for those that don't practice disconnecting their metamask wallets on different websites that they connect it, especially into those dexes.

First. If you're not using web MetaMask Extension versions 10.11.3 and above and you connected your wallet to a phishing website. According to the research done by Halborn (https://mobile.twitter.com/MetaMask/status/1537103629613551624). Yes, the coins in your metamask wallet can be accessible by a hacker because your wallet's secret recovery phrase can be extracted.

Second. If you enter your wallet secret recovery phrase or private keys on the phishing website, you have automatically given them access to your metamask wallet.

I have never had the need to use this wallet, but I have to admit that the idea of a crypto wallet that works in a browser or as a mobile application has never appealed to me precisely because I think it is very risky from a security point of view. If we know how hot crypto wallets are exposed to various risks, it's hard for me to understand people who use this way of storing and transacting very significant amounts of cryptocurrencies.

For me personally, the best way is not to use such wallets if at all possible - and if you have no choice, let your caution always be at a high level.

   Thanks for more replies. to sum up.....my post about m.mask security is partly because ive had trouble linking it to my ledger for extra security [ did a seperate post on this ] . My computer is clean ,as i dont open links/ connect to dodgy sites etc . Also my keys are offline .   I close meta mask when not using it . So , are people saying that i should UNCONNECT from  connected sites to m.mask , then re connect when i need to use them ?

That is true, however some transactions that require signing are not 100% clear about what is going to happen once confirmed and require some further looking into to make sense of them. And with all the phishing attempts and all you might just sign a transaction that does not do what you think it should...

https://cointelegraph.com/news/ledger-cto-warns-crypto-users-about-the-dangers-of-blind-signing

https://www.bleepingcomputer.com/news/security/opensea-nft-platform-bugs-let-hackers-steal-crypto-wallets/

There is a great distinction between disconnecting some sites or revoking smart contract access.

To put up simply for security concerns, if you are dealing with established platforms like Aave, Uniswap, PancackeSwap, etc, you shouldn't worry too much. But if you are dealing with shady and unknown platforms or token or smart contracts, well this part should be better to avoid in the first place because if you already dealing with it, there is little contribution from disconnecting or revoking things.

For better references, I strongly suggest you read the information from Metamask:

• Disconnect wallet from a dapp  (https://metamask.zendesk.com/hc/en-us/articles/360059535551-Disconnect-wallet-from-a-dapp)
  
• How to revoke smart contract allowances/token approvals  (https://metamask.zendesk.com/hc/en-us/articles/4446106184731)
  

It sounds you didn't need to do that. They will need to connect with your metamask once you wanna try to connect with them again. The site will ask you again to connect with your metamask. Somesites may still able to connect with your metamask such as dex or something like this.
Disconnect your metamask was also a good decision to prevent malicious activities with your metamask.

No. Even though Metamask is linked to a certain site, the site owner cannot transfer money from Metamask to another account, because every transfer of funds requires confirmation. This is the same as the process when you do a swap, namely by confirming by an active wallet. If the wallet is not active of course they can't do anything with our metamask even though it's connected to their site. So you don't have to worry about the metamask security system. Unlike a site that asks to import a private key, there is a possibility that the site backs up the private key that we import.

MetaMask which can be accessed online can in fact limit the level of security compared to cold wallets.
However, the level of security that MetaMask has is able to beat other wallets, and this is one of the advantages of the Metamask wallet that is worth considering.

Metamask cannot make any transactions without confirmation from the wallet owner who activates Phrase even though it is connected to another site. Unless you've entered the Phrase to another site to access that site. Some sites enable import Phrases, but others just make a connection.