MetaMask advises users to disable automatic iCloud backups of its wallet data to prevent hacks

Quick Take

  • MetaMask has notified users that automatic data backups in Apple devices can possibly lead to stolen funds.
  • The warning came a few days after one MetaMask user lost $655,000 worth of assets due to a compromised iCloud account.

MetaMask, a popular Web3 wallet, cautioned that automatic Apple iCloud backups could be a risk factor that can allow hackers to steal funds from its users.

The wallet software maker has advised users to disable such data backups. 

The team stated in a Twitter thread Sunday that its users' funds can be stolen if they have enabled a backup of MetaMask data on their Apple mobile devices. Such a compromise could occur if someone gained illicit access to the sensitive app data uploaded to iCloud -- particularly via phishing attacks.

"If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds," the MetaMask team wrote.

The warning came a few days after a MetaMask user named Domenic Iacovone claimed to have lost several NFTs and assets estimated to be worth $655,000 in total after someone took over their iCloud account.

What appears to have happened is that a hacker gained control of Iacovone's iCloud account and stole the wallet's Keystore — a file with JSON format that held an encrypted version of the wallet's private key needed to authorize transactions.

Notably, Apple’s mobile devices can automatically upload app data. In the backup process, files containing private keys (which are meant to only be used locally on the device) can get uploaded to Apple's cloud servers, which malicious entities may gain access to in the event of a phishing attack, for example.

According to Serpent, a founder of a crypto-focused security firm Sentinel, the perpetrator posed as someone from "Apple Inc" and sent text messages to Iacovone asking to reset his Apple ID password. The hacker called Iacovone on his phone number and used a spoofed caller ID.

In obtaining the code, the hacker was given the ability to change the security password, and then subsequently gained access to Iacovone's private key file. This, in turn, opened the door to their MetMask wallet and the ability to transfer out the affected assets. 

Iacovone posted that several of his non-fungible tokens (NFTs) were taken away in the event, including three NFTs from Mutant Ape Yacht Club (#28478, #8952, #7536) and three Gutter Cat Gang (#2280, #2769, #2325). In addition to these NFTs, Iacovone stated the hacker transferred out $100,000 worth of APE tokens.

It appears from this event that neither MetaMask nor Apple is at fault. The incident occurred due to weak operational security from Iacovone coupled with a native feature within Apple devices, and one which users can turn off. The MetaMask team has, nevertheless, advised people to disable iCloud backups, posting the details of the steps to turn it off. 

In the past, a series of incidents have targeted owners of high-value NFTs, either through email-based phishing or by spreading phishing links aimed to take over crypto wallets like MetaMask. Just last month, The Block reported that 35 NFTs, including Bored Apes, were stolen via phishing attacks spread via malicious links on the social media platform Twitter.  

MetaMask did not respond to a request for comment by press time.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.