A recent study indicates that Metamask cryptocurrency wallet users may be in danger of losing all their digital assets or perhaps facing physical threats. Alexandru Lupascu, a security expert and co-founder of the OMNIA protocol, discovered this vulnerability in the popular Web 3.0 wallet.
Lupascu discovered that by transferring free ownership of digital art, a hostile actor may easily construct a non-fungible token (NFT) and get a user’s IP address. A hacker might damage someone’s privacy for as little as $50. “Do not underestimate the danger involved with IP leaks,” he said.
Lupascu said, “If hostile actors extract other information from the IP address (for example, geolocation, GSM provider, and so on), they might convert it into physical hazards, such as abduction.”
Additionally, this assault, according to the cryptographer, may be more “devastating” than a Distributed Denial of Service (DDoS) attack. To provide a basic comparison, this assault might be eight times more powerful than the Mirai botnet attack that brought down Twitter, Reddit, Spotify, GitHub, Netflix, and Airbnb in October 2016.
Alexandru detailed the attack in detail, from minting the NFT to delivering it to the target, obtaining the victim’s IP address, and finally compromising their privacy or even stealing their crypto assets. He conducted testing on the iOS Metamask app version 3.7.0, however the attack may also be applicable to the Android version. He created an NFT on OpenSea, the biggest marketplace for NFTs, then updated an ERC-1155 standard smart contract using the Remix Ethereum IDE.
Have they rectified the situation?
According to Lupascu, he discovered and reported the security hole to the Metamask team on December 14, 2021, however they failed to address the problem and promised to solve it by Q2 2022. “For us, it is unacceptable to put such a big user base at danger for an extended period of time,” he added, “particularly if this was known in advance, as they allege.”
After this study was made public, Daniel Finlay, the inventor of Metamask, confessed, “I believe this problem has been publicly recognised for a long length of time, and hence I believe there is no need for a disclosure period.”
“Alex is correct in calling us out for not addressing it sooner,” Finlay said. Begin work on it immediately. We appreciate the kick in the pants and are sorry it was necessary.”
Not to mention, Metamask’s parent company, ConsenSys, invested $200 million in anticipation of Metamask reaching 21 million monthly active users in November 2021. The most popular cryptocurrency wallet also serves as a portal to 3,700 decentralised Web 3.0 apps (dApps).