The popular digital asset wallet MetaMask has eliminated critical vulnerability that could result in the loss of cryptocurrencies.
In fact, who discovered the flaw was the United Global Whitehat Security Team (UGWST). The organization received $120,000 from MetaMask as a reward for the feat.
According to the company, analysts René Kroka and José Almeida found the wallet’s critical security flaw.
However, the company highlighted that malicious actors did not actually exploit the flaw. Furthermore, the team at MetaMask said that it has already fixed the problem for its users.
“The vulnerability, which only affected the browser extension, consisted of the ability to run the MetaMask extension as a hidden layer on top of another website. This allowed attackers to trick users into revealing their private data or sending crypto without realizing it,” MetaMask highlighted.
Critical failure in MetaMask
As the company highlighted, users can view the MetaMask browser extension in two ways.
The first is through a small rectangular window that appears in the browser bar when clicking on its icon. Meanwhile, the second form consists of a full-page view.
That is, the extension cannot and should not be seen in an iframe. Iframe is an HTML resource that allows users to view the content of a website on a different webpage.
The team explained that the iframe itself is not malicious and does not pose a security threat. But malicious actors can use it to trick users. This technique is known as clickjacking.
Understand the clickjacking technique
In practice, the technique concealed the fact that the wallet extension was open on the web. For example, a user can access a web page like from a video game in the browser. So, he needs to click various buttons to configure the game and start playing it.
“So he clicks on those prompts without realizing the game has imposed its MetaMask extension open on him in an iframe. So, instead of clicking through prompts in a video game, he’s clicking through prompts in MetaMask to send his digital assets to a malicious actor,” the team clarified.
Finally, the team asked users to ensure that their MetaMask extension is at least version 10.14.6.