Posts

Keep your Metamask locked when you are not using it

avatar of @behiver
25
Behiver
@behiver
·
·
0 views
·
2 min read

After the hack of a fellow community member @belemo which lost funds in the 5 Digits range (My BSC wallet was hacked and all my assets were stolen: Coping, Security and an expensive lesson), in case you are not using a hardware wallet but rather a software one like Metamask there are some minimal measures that you can take in order to avoid making the life easy to hackers.

There are several vulnerabilities revealed in Chrome due to sandbox being escaped which results in the ability to execute arbitrary commands in the user's terminal. This vulnerability could also be able to read the data in the Metamask plugin when Metamask is in an unlocked state and the attacker would be able to read the private key information. To avoid this when you are not using the Metamask to interact with different DApps or DeFi tools, you can also manually lock it.

To do this you just need to open Metamask, Click on the Menu button at the upper right corner and Hit the Lock button. This will lock the Metamask wallet right away and you will need your password to access any information in it. Browsing the web with a locked MetaMask should not expose any of your MetaMask addresses to any sites.

Still, there are different ways a hacker or attacker might use to get the credentials of your Metamask wallet depending if it is opened or not. Based on its state, here are some of the attacking methods that hackers might try.

  • Unlocked MM wallet
    • Fake notification on your last outgoing transaction as failed, but now on a different address
    • Fake request to “sign for” your most recent incoming transaction
    • Cloning MetaMask’s CSS on a phone website
  • Locked MM wallet
    • Fake notification encouraging a user to unlock their MetaMask
    • Phishing the used with a fake Metamask popup
    • A timing attack on a phony website that can access MM when opened in another tab (I think this is the most dangerous one as you might not even notice it as even you accessed the phony site, you think that you didn't log into it).

Stay safe and better hold your funds in a hardware wallet. In case you are using a software wallet, take minimal precautions, lock your wallet when not using it and don't click on phony sites or out of the blue airdrops in your wallet!

Posted Using LeoFinance Beta