Cryptheory: Crypto and Internet

cryptocurrency and internet meaning, guides, learning

Metamask Discovers Critical Vulnerability That Allowed Cryptocurrency Theft

2 min read


The popular digital asset wallet MetaMask has eliminated critical vulnerability that could result in the loss of cryptocurrencies.

In fact, who discovered the flaw was the United Global Whitehat Security Team (UGWST). The organization received $120,000 from MetaMask as a reward for the feat.

According to the company, analysts René Kroka and José Almeida found the wallet’s critical security flaw.

However, the company highlighted that malicious actors did not actually exploit the flaw. Furthermore, the team at MetaMask said that it has already fixed the problem for its users.

“The vulnerability, which only affected the browser extension, consisted of the ability to run the MetaMask extension as a hidden layer on top of another website. This allowed attackers to trick users into revealing their private data or sending crypto without realizing it,” MetaMask highlighted.

Critical failure in MetaMask

As the company highlighted, users can view the MetaMask browser extension in two ways.

The first is through a small rectangular window that appears in the browser bar when clicking on its icon. Meanwhile, the second form consists of a full-page view.

That is, the extension cannot and should not be seen in an iframe. Iframe is an HTML resource that allows users to view the content of a website on a different webpage.

The team explained that the iframe itself is not malicious and does not pose a security threat. But malicious actors can use it to trick users. This technique is known as clickjacking.

Understand the clickjacking technique

In practice, the technique concealed the fact that the wallet extension was open on the web. For example, a user can access a web page like from a video game in the browser. So, he needs to click various buttons to configure the game and start playing it.

“So he clicks on those prompts without realizing the game has imposed its MetaMask extension open on him in an iframe. So, instead of clicking through prompts in a video game, he’s clicking through prompts in MetaMask to send his digital assets to a malicious actor,” the team clarified.

Finally, the team asked users to ensure that their MetaMask extension is at least version 10.14.6.

Can BTC be regulated and centralized? The answer will surprise you

All content in this article is for informational purposes only and in no way serves as investment advice. Investing in cryptocurrencies, commodities and stocks is very risky and can lead to capital losses.

Leave a Reply

Your email address will not be published. Required fields are marked *