Metamask Chrome Extension

Experience the future of the internet with MetaMask Chrome extension. Safely navigate decentralized platforms, manage your digital assets, and embrace blockchain technology.

MetaMask has granted a bounty of $120,000 to the United Global Whitehat Security Team (UGWST), including René Kroka and José Almeida, for their responsible disclosure of a critical security vulnerability. There were no known instances of this vulnerability being exploited, and the MetaMask team has already patched the issue for its users. The vulnerability, which affected the browser extension only, consisted of the ability to run the MetaMask extension as a hidden layer on top of another website, allowing attackers to trick users into revealing their private data or sending crypto-assets without realizing.

Background Information

iframes

The MetaMask browser extension can be viewed in two ways by users: as a small rectangular window that appears from the browser bar when clicking its icon, or in a full-page view. It cannot, and should not ever, be viewable within an iframe. An iframe is a widely-used feature of HTML that allows content from one website to be viewed within the context of a different webpage. In and of itself, iframe technology is not malicious nor represents a security threat. However, the technology can be used in deceptive ways to trick users; one way is what’s known as clickjacking.

Clickjacking

The essential technique at play in this vulnerability consists of concealing the fact that MetaMask is open, and that the user is in fact clicking on it. In this scenario, the user is directed to a webpage, let’s say an in-browser video game. The page loads, and the user has to click on a number of buttons in order to set up the game and begin playing it. The user clicks through these prompts, not realizing that the video game has, imposed over top of it, their MetaMask extension, open in an iframe with the opacity set to zero: and rather than clicking on prompts in a video game, they are clicking through prompts in MetaMask to send their crypto-assets to a malicious actor.

UGWST’s Discovery

What UGWST reported to MetaMask was that, under certain circumstances, they could get the MetaMask extension to run in an iframe. They illustrated that a bad actor could harness certain resources made web-accessible by the MetaMask extension to do so.

UGWST reported this vulnerability responsibly, and the MetaMask security team immediately applied a fix to the extension, which has been pushed out to all users. Again, there were no known instances of this vulnerability ever being exploited.