MetaMask Allegedly Not Fixing Privacy Vulnerability

[pushups44]

From Crypto Briefing: https://cryptobriefing.com/ethereum-wallet-metamask-has-critical-privacy-vulnerability/

"A cryptographer and security analyst has revealed how MetaMask users are at risk of exposing their IP address to hackers."

[...]

"Lupascu found that malicious entities can find MetaMask mobile users' IP data by airdropping them NFTs."

[...]

"By default, the MetaMask mobile app displays NFTs stored in an address using a URL function call to the image data. This data is hosted on remote servers. The process is done without asking for the user’s consent in order to display what NFTs are contained in their Ethereum wallet.

"During this fetching process, all server gateways handling the transmission of image data receive the user’s IP information. Generally, the projects operating the servers for the image data keeps the data secure.

"In his investigation, Lupascu determined that malicious entities can find MetaMask users’ IP data and exploit the information to execute targeted attacks. In his blog post, Lupascu explained:

“If a malicious actor only knows your blockchain address, he can mint an NFT with a URL pointing to his server and transfer the NFT’s ownership to your address. Thus, when your crypto wallet fetches the remote image from the server, it will compromise your privacy.”

[...]

"Meanwhile, Lupascu says that he thinks Ethereum users should be vigilant if they receive airdropped NFTs, and that it’s advisable to only access them through OpenSea."

[coupable]

Using a navigator extension is your main vulnerability if you are already doing it.
I have noticed that people are not aware using such services like they are blindly trusted. Navigator addons weren't an advisable method for accessing online platforms although it's maybe a safe tool to interact with the Ethereum network.

"Meanwhile, Lupascu says that he thinks Ethereum users should be vigilant if they receive airdropped NFTs, and that it’s advisable to only access them through OpenSea."

Same thing with using opensea as a trusted network while we saw haw many vulnerabilities this system has encountered recently .

[hugeblack]

What's new here? Most of the users of MetaMask have a preliminary knowledge and therefore at one point or another they can be traced easily and thus leaking the IP address will be easy.
Even in Bitcoin, unless you administer a full node, some may be able to determine your IP address.

Using a reliable VPN and connecting to Tor will enhance your privacy, but MetaMask wallet does not focus on privacy as much as the ease of managing the wallet.

NFT Ethereum gas are also expensive, so these attacks cannot be random, but rather part of a social attack.

[YOSHIE]

"Lupascu found that malicious entities can find MetaMask mobile users' IP data by airdropping them NFTs."

How about those who use MetaMask only to exchange tokens to USDT or BNB, without accessing the NFT feature, is it still being detected IP, only using it as an exchange and transaction. safe or not.

Yes, maybe from their side, their MetaMask should immediately fix the features as you said related to NFT, for security and avoid bad things, we all know like opensea etc, the NFT sales market is always connected to the ETH wallet, I think it should be resolved as soon as possible, I often see the assets of people who sell NFT up to thousands of $ which are stored and traded on the opensea market.

[Findingnemo]

No matter for what kind of airdrop and bounty rewards it is preferable to have a secondary wallet so you can avoid exposing your primary wallet balance. This is more of a privacy issue not related to security of our wallet but Metamask should act fast and resolve the things with possible solutions.

[martyMC]

From Crypto Briefing: https://cryptobriefing.com/ethereum-wallet-metamask-has-critical-privacy-vulnerability/

"A cryptographer and security analyst has revealed how MetaMask users are at risk of exposing their IP address to hackers."

[...]

"Lupascu found that malicious entities can find MetaMask mobile users' IP data by airdropping them NFTs."

[...]

"By default, the MetaMask mobile app displays NFTs stored in an address using a URL function call to the image data. This data is hosted on remote servers. The process is done without asking for the user’s consent in order to display what NFTs are contained in their Ethereum wallet.

"During this fetching process, all server gateways handling the transmission of image data receive the user’s IP information. Generally, the projects operating the servers for the image data keeps the data secure.

"In his investigation, Lupascu determined that malicious entities can find MetaMask users’ IP data and exploit the information to execute targeted attacks. In his blog post, Lupascu explained:

“If a malicious actor only knows your blockchain address, he can mint an NFT with a URL pointing to his server and transfer the NFT’s ownership to your address. Thus, when your crypto wallet fetches the remote image from the server, it will compromise your privacy.”

[...]

"Meanwhile, Lupascu says that he thinks Ethereum users should be vigilant if they receive airdropped NFTs, and that it’s advisable to only access them through OpenSea."

""Meanwhile, Lupascu says that he thinks Ethereum users should be vigilant if they receive airdropped NFTs, and that it’s advisable to only access them through OpenSea.""
What do they mean exactly? I thought Metamask was mandatory to access to Opensea. AFAIK you can't access to Opensea without a walletconnect software so it will be hard to do such thing. Besides that, I don't understand why Metamask is still only unavailable through a plugin for browser a standalone application would be way more secure IMO

[vv181]

What do they mean exactly?

Browsing NFTs within a Metamask poses a risk of your privacy being compromised. The difference is opening up/browsing the NFT on Metamask may leak your IP since your device(Metamask) are directly communicating with the NFT image of the server, on another hand, if you browse it up on Opensea, the concern will be invalid.

You can see this article to see in full detail: Critical privacy vulnerability — getting exposed by MetaMask

I thought Metamask was mandatory to access to Opensea. AFAIK you can't access to Opensea without a walletconnect software so it will be hard to do such thing.

Yes, but it also technically can be accessed directly without Metamask or any wallet.

[fullhdpixel]

No matter for what kind of airdrop and bounty rewards it is preferable to have a secondary wallet so you can avoid exposing your primary wallet balance. This is more of a privacy issue not related to security of our wallet but Metamask should act fast and resolve the things with possible solutions.

Hackers in the crypto field are not picky but they will hack all accounts here as long as they can no matter how much is the users balance because small amounts can add up making the value larger but I like the suggestion that you said. Often times I receive scam coins from a random address, I sometimes wonder how did they do that but I realize that anyone can see the address that I posted in the forms when I apply for bounties and airdrops.

This isn't just a privacy matter but our security is also at risk here. Clicking on the links associated to that coin or NFT that they sent can lead you to a phishing site which can empty your account.