Security researchers at Halborn have discovered a vulnerability in most browser wallets, including MetaMask. The problem affects a small segment of users.
Experts have uncovered a case where, under certain conditions, the secret recovery phrase used by web wallets could be extracted from the disk of a hacked computer.
The developers fixed the vulnerability in MetaMask Extension 10.11.3.
However, they warned that users who meet the following conditions may be at risk: the hard drive has not been encrypted; the recovery phrase was imported on someone else's device or the computer was compromised; used the "Show Recovery Passphrase" checkbox to view the text on the screen.
The MetaMask team noted that the vulnerability is due to the fact that browsers do not consider attacks with physical access as a threat and store all text inputs in the device's memory. The risk can be completely eliminated only by full disk encryption.
Trending: Smart Contracts Audits Startup Hexens Closed $4.2 M Seed Funding
Among other recommendations of the developers: clearing the browser cache and anti-virus protection of the computer.
“Neither the wallet nor the software can protect themselves if the system they operate on is compromised,” they noted.
Halborn received a $50,000 reward for the disclosure of the vulnerability.