Cryptographer and security analyst Alexandru Lupascu, the co-founder of OMNIA protocol, found Metamask vulnerable. During his recent research, he came across and pointed out that Metamask crypto wallet users could be in jeopardy and might lose all their digital assets.
In his recent medium article, he mentioned that he spent time with this team researching different NFT airdrop situations. They bumbled upon a scenario that could compromise the privacy of more than 21 million people.
“It’s quite a potent scenario, too, as it has the potential to be eight times more devastating than a Distributed Denial of Service (DDoS) attack. And I’m saying that after comparing it to some of the most notorious attacks to hit the news last year.”
Alexandru Lupascu
How dangerous is it?
Alexandru shows how a malevolent actor may create an NFT, transmit it to a victim, and acquire their IP address, putting their privacy at risk. This is a significant privacy flaw in the blockchain ecosystem that anyone may attack for as little as $50.
Do not undervalue the threat posed by IP leaks. Alexandru adds: if hostile actors obtain other information from the IP address (such as geolocation or GSM carrier), they may transform it into a physical threat, such as kidnapping.
Alexandru detailed how the invasion is carried out, from minting an NFT to sending it to the target, obtaining the victim’s IP address, and, finally, jeopardizing their privacy or stealing their crypto assets. He used the iOS Metamask software version 3.7.0 to test this attack, but it might also apply to Android.
Are the users safe now?
Alexandru identified the flaw in early December 2021, and after examining Metamask’s Mobile security policy, they contacted them on December 14, 2021.
They informed us that this is a known problem being addressed as part of a responsible disclosure schedule.
After the study went public, Daniel Finlay, the founder of MetaMask, verified the problem and pledged to resolve it as soon as possible. He also added, “Alex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it.”