After a seven year crypto hiatus I needed to exchange some BTC for crypto via IBC on a DEX. Things have certainly changed since the last time I did anything in the crypto realm. IBC? DEX? Staking? Another learning curve to tackle. One big change is that I'm not able to use desktop wallets in which I have total control over the environment. Rather the wallets are browser extensions accessing Decentralized Exchanges (DEXs). For instance Osmosis needs two Chrome extension wallets (Metamask and Keplr) open at the same time to perform my exchanges.
The wallets have amazing functionality with the ability to reach out to specific blockchains and perform transactions. Plus lots of other features (from MetaMask on Firefox: Enables access to: Web 3.0, Dapps, NFTs, erc20, tokens. ICOs. erc721. ERC 1155 ...and more!)
Convenience at the Expense of Security
Great. Until I read the privacy permissions allowed to the wallets. It's a terrible browser extension security model, not like later Android versions where one can view the app properties and turn off permissions. Instead I have to trust the extension I'm using isn't malicious. Is there an attack vector that allows the extension to be modified? Probably. Browser security is constantly probed for vulnerabilities by bad actors and security updates are required regularly. Can my keys be stolen? They appear to be stored in plaintext. How do I really know what permissions an extension has?
I've focused here on MetaMask but it is the same for all of the wallets I looked at. Some wallets are coin specific so one may not have a choice in using it. And the crazy personal wallet permissions are terrible for both Chrome and Firefox.
|
MetaMask collects the following User Activity. For example: networking monitoring, clicks, mouse position, scrolling or keystroke logging. |
Keystroke logging? Yikes!
|
Because it adds functionality to the normal browser context, MetaMask requires the permission to read and write to any webpage. You can always "view the source" of MetaMask the way you do any Chrome extension, or view the source code on Github: https://github.com/MetaMask/metamask-plugin |
Perfect. I can review the code. Javascript is such a pleasant language to trace. Just joking, it's terrible. Libraries galore. And how would I know that there is an exploit there? Or that the code in github is the same as what is running on my browser?
And the mystery of the browser environment doesn't help when people have problems.
|
by Firefox user 13631654, April 2022 Like others got hacked without sharing password or recovery phrase; lost 3500 worth crypto. Unable to figure how was done. Do not use this wallet.
by jakhhh&O, March 2022 Ok people. I've lost 350 BUSD tokens. They were simply stolen. I've never shared neither password or secret phrase. Looking for activity from metamask.
|
Was it the wallet? Blockchain issue? Browser issue? Desktop hacked? How can one tell with open permissions?
There are lots of five star ratings for MetaMask and it is one of the more popular wallets. I've been using MetaMask and Keplr without problems but I'm not 100% comfortable with them like I am with the bitcoin core wallet.
Security Mitigations
It isn't clear to me what all of the attack vectors are for browser extensions. I have done the following. I'm using Chrome as there isn't a Keplr for Firefox.
Dedicate a browser just for wallets. I do not install extension wallets on browsers I normally use for financial and personal websites. Generally I use Chrome for financial, Firefox for personal.
Trust, trust, trust. Fingers crossed. Knock on wood. As the DEX needs both wallets open at the same time I can only trust that the extension wallets (and the website) aren't logging my passwords, stealing / modifying information on the webpage, extensions and clipboard, or reading the file system.
Sandbox it. My quick and dirty solution was to clone a Windows 8 VMWare instance just for Chrome. Windows 8 runs Win10 & Win11 programs without problems. Windows 8 also has a very strong security model (one of the main criticisms that were relaxed for Windows 10).
Turn off browser syncing. I do not log into Google on Chrome so the browser does not have the possibility of syncing with my other Chrome browsers.
Keep control if possible. For the non-esoteric coins with low cost transfer fees, I transfer them of out the extension wallets to my desktop wallets or Coinbase for coins that don't have desktop wallets. Coinbase could be a (small) risk as well. I'm hoping Coinbase doesn't go bankrupt and take all of my coins.
Any suggestions? Send an email to aholiday@xilodyne.com and I'll post it here.