Thankfully, it was first discovered by ‘good hackers’ who immediately informed Metamask of the flaw, and told them how to fix it. Going by the name ‘The United Global Whitehat Security Team’ (UGWST), the organization was able to claim a $120,000 reward for finding the vulnerability.
Metamask tells us that there were no users affected by this vulnerability. UGWST seems to be the first and only to discover it, and they only shared their findings with Metamask.
The strategy consists of camouflaging malicious code on a site so that the user clicks on it without realizing it. For example, if you fall into clickjacking , by clicking “Play” on a video you could be conferring access to your funds in a wallet.
Metamask developers immediately fixed it…
Only users of the browser extension were ever at risk, but this is the most popular method of accessing Metamask wallets. The hackers demonstrated launching Metamask an iframe (that is, a website within another website) and setting it to 0% opacity, in other words in a completely transparent window – user would have no idea it existed. Then it’s a matter of tricking the user to click specific locations on their screen, unaware they’re actually pressing an invisible button that confirms a transaction.
It could look like a pop-up ad, but the ‘X’ to close it is actually the button to confirm sending all your Ethereum to someone, for example.
Make Sure You’re Up To Date…
By default Metamask automatically updates, but double check yours to be safe. Open Metamask, go to ‘settings’, then ‘about’, and make sure you have version 10.14.6 or above.
If any of those numbers are lower, you need to update.
Hacking for good can be a profitable venture…
Metamask awarding the bug finders $120,000 is a very common practice, virtually all major players in tech offer a ‘bug bounty’ giving hackers an alternative, completely legal way to turn their discoveries into profit.
UGWST, the organization that discovered this has also helped Apple, Reddit, Microsoft, and performed security audits for Crypto.com and OpenSea.
Although the material contained in this website was prepared based on information from public and private sources that AMPRaider.com believes to be reliable, no representation, warranty or undertaking, stated or implied, is given as to the accuracy of the information contained herein, and AMPRaider.com expressly disclaims any liability for the accuracy and completeness of the information contained in this website.