Amid troubles with some user wallets due to a vulnerability, MetaMask explained the issue is not as big as perceived. According to security researchers at Halborn, a blockchain security firm, the bug affects a small segment of users. The affected users are found across many browser-based wallets including MetaMask.
Importantly, the vulnerability that makes it possible to extract the Secret Recovery Phrase is said to be resolved eventually. However, the MetaMask team said they can not make guarantees about a specific timeline. Also, the bug does not affect MetaMask Mobile.
Vulnerability Affects Small Segment Of Wallets
Researchers said the Metamask security threat caused in rare edge cases was fixed for MetaMask Extension versions 10.11.3 and later. Dan Finlay, a developer working on MetaMask, said the bug impacts a small segment of MetaMask Extension users as well as users of other browser/extension wallets.
The researchers explained that users could be at risk if three conditions apply to the individual wallets. If the user’s hard drive is unencrypted and the user imported Secret Recovery Phrase into a MetaMask extension on a different device, besides one more condition, the user is at risk. Another condition is that at the same time, the user used the ‘Show Secret Recovery Phrase’ checkbox to view the Phrase on-screen.
“This vulnerability is most likely to affect users who had a device compromised after importing Secret Recovery Phrase into MetaMask.”
MetaMask said it introduced new protections and that it will continue to reduce the risk.
Transfer Of Funds From Compromised Wallet
The researchers recommended migrating funds from the vulnerable accounts to be on the safe side from the Metamask security threat. Also, for those users who think their computer is not safe from access to others, the researchers have a suggestion. Those computers that are not physically secure from other people should have full disk encryption enabled on the system.
Last month, MetaMask announced integrating Coinbase Pay on its platform to allowing easy payment access for Web 3.0 developers with dApps.