James Stanley

Drive-by identification of MetaMask users

Mon 1 May 2017

MetaMask is a Chrome plugin that turns an ordinary Chrome browser into a Dapp browser. A Dapp is a web app that is augmented to use the browser's local web3 object to access the Ethereum blockchain. Compared to Mist, another Dapp browser, MetaMask streamlines the user interface by not requiring users to "Connect" an account before using it in a Dapp.

Unfortunately, every website is just a Dapp that doesn't know it yet. And in MetaMask, you don't need to get any user permission before retrieving his account information using web3.

If a website you ended up on were to use MetaMask to collect a list of your Ethereum accounts and ship them off to a remote location to be permanently associated with your current IP address and User-Agent string, you would be none the wiser. There is no user permission required, and there is no feedback in the user interface. It is completely silent. Even if you inspected the source code and noticed the behaviour, by the time you realised it would be too late.

This blog post shows this. But it looks like you're either not using MetaMask, or are otherwise not vulnerable. Try viewing this post in Chrome with MetaMask installed.

If you're interested in your financial privacy... don't use MetaMask.

Update: Dan from MetaMask replied on reddit. It turns out MetaMask already have a github issue for this. Presumably this means it'll get fixed eventually, which is good news.

Update 2: For the first 24 hours, this post remotely logged the Ethereum account addresses. Write-up of results available here.