MetaMask and Phantom crypto wallets fix browser extension vulnerability

Quick Take

  • Security firm Halborn discovered a critical bug affecting popular web3 wallets like MetaMask and Phantom.
  • The vulnerability — which has now been fixed — made it possible for hackers to extract recovery seed phrases from computer disks.

Popular crypto wallets, including MetaMask and Phantom, suffered for months from a critical vulnerability in their browser extension software, according to a report on Wednesday from cybersecurity firm Halborn.

The vulnerability, dating back to September 2021 and now fixed, put users' funds at risk as it made it possible for hackers to extract wallet recovery seed phrases stored on computer disks. However, no exploits have yet been reported that could be tied to the vulnerability.

In the report, Halborn's researchers said the seed phrases generated by wallet providers were being saved on users' computers in plain text as part of the "Restore Session" feature. This meant malicious actors could gain entry using malware or physical access. Halborn added they worked with wallet providers to patch their wallets against the vulnerability.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

MetaMask, the most popular web3 wallet on Ethereum, clarified that the critical security issue affected only a "small segment of users" and that the vast majority of users were not at high risk. The MetaMask team added that it already issued mitigations against the vulnerability in its latest update of the wallet's browser extension.

Meanwhile, Phantom, the most-used web3 wallet on the Solana blockchain, said it began issuing fixes in January, three months after the vulnerability was initially flagged by Halborn. Furthermore, Phantom plans on rolling out another exhaustive patch next week, it said.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Authors

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]
Anushree covers how U.S. businesses and corporations are moving into crypto. She has written about business and tech for Bloomberg, Newsweek, Insider, and others. Reach out on Twitter @anu__dave