Edited June 18, 2018 to reflect our latest understanding of Cloudflare’s security, and mitigation strategies. Apologies if we misrepresented any security issues.

MetaMask allows users to interact with Ethereum-compatible sites by putting users in control of their own account secrets, in the form of the 12 secret words the user is shown when first setting up.

This is very powerful, but also potentially dangerous, because each user is responsible for the secrecy of their own seed words. If a hacker can trick you into sharing those words, they can steal everything in your accounts.

Recently, a number of websites have shown this screen to users out of nowhere. The screen impersonates the MetaMask user interface in the top right of the window, asking the user to enter their wallet seed words.

This form then sends the seed words up to a private server, and presumably the funds are drained from all of that user’s accounts.

If you have seen this screen, and entered your seed words into it, it may already be too late, your accounts may already be drained. Please contact MetaMask Support immediately.

Affected Sites

Sites we know have been affected so far include:

BTC Manager

Games Workshop

Trakt TV (unresolved at the time of this writing)

If you’re a user of any of those sites and MetaMask, and have noticed you recently lost some funds, please contact MetaMask Support immediately.

The affected sites appear to all use Cloudflare to configure their DNS settings, and this appears to be where the attacker is redirecting the sites to their own imposter sites. Since this has affected multiple sites, if you are using Cloudflare, you should be extra vigilant. Some of the sites had 2FA for all of their users, but the settings were updated by API using their API keys.

From what we can tell, Cloudflare has dangerously coarse API access permissions, and at least three common roles have permission to edit DNS settings. These permissions are often shared with plugins you add to your Cloudflare account. That would mean installing a plugin on Cloudflare can be like giving that plugin’s author permission to redirect your site to whatever they’d like.

As a security conscious team, this is very concerning, and we would advise any web masters using cloudflare to rotate their API keys regularly, review who has DNS editing permissions (Admin, SuperAdmin, DNS), and minimize those permissions.

What We’re Doing

MetaMask is taking a multi-pronged approach to this attack. The first prong is user education, via this post. MetaMask will never spontaneously ask you for your seed words, and is actually totally incapable of popping up in the top right without the user clicking the fox (as are all WebExtensions)! If you ever see this kind of popup on a site, contact us immediately!

MetaMask is currently working with the affected groups to find other common factors, to help us narrow down on the attack vector that is allowing so many sites to become compromised, to help prevent this attack in the future.

We are also working on improving our early-detection strategies, to narrow the window during which users can be affected by this attack.

Since this attack relies on detecting MetaMask users by the web3 API, we will be making MetaMask users undetectable on unauthorized websites. You can read more on EIP 1102.

We also have a couple of other efforts that we will report on if they are effective.

If you have ideas for other strategies you’d like to make sure we’re pursuing, please get in touch, we’d be happy to collaborate. We’re also looking to hire some new security engineers, to focus on these kinds of issues full time, so if this is your kind of topic, let us know!