From Crypto Briefing:
https://cryptobriefing.com/ethereum-wallet-metamask-has-critical-privacy-vulnerability/"A cryptographer and security analyst has revealed how MetaMask users are at risk of exposing their IP address to hackers."
[...]
"Lupascu found that malicious entities can find MetaMask mobile users' IP data by airdropping them NFTs."[...]
"By default, the MetaMask mobile app displays NFTs stored in an address using a URL function call to the image data. This data is hosted on remote servers. The process is done without asking for the user’s consent in order to display what NFTs are contained in their Ethereum wallet.
"During this fetching process, all server gateways handling the transmission of image data receive the user’s IP information. Generally, the projects operating the servers for the image data keeps the data secure.
"In his investigation, Lupascu determined that malicious entities can find MetaMask users’ IP data and exploit the information to execute targeted attacks. In his blog post, Lupascu explained:
“If a malicious actor only knows your blockchain address, he can mint an NFT with a URL pointing to his server and transfer the NFT’s ownership to your address. Thus, when your crypto wallet fetches the remote image from the server, it will compromise your privacy.”
[...]
"Meanwhile, Lupascu says that he thinks Ethereum users should be vigilant if they receive airdropped NFTs, and that it’s advisable to only access them through OpenSea."