On Wednesday, MetaMask said that it discovered a critical security flaw in older versions of its crypto wallet with the help of security researchers at Halborn. The security company was awarded $50,000 for this discovery.
For MetaMask users prior to version 10.11.3, the three necessary conditions lead to a potential vulnerability. That is:
- Hard drive is not encrypted
- Entered a secret recovery phrase into the MetaMask extension on a compromised, stolen, or unauthorized device
- Used the phrase “Show recovery secret phrase” to see recovery secret phrase on screen during import.
“We have only discovered that the Secret Recovery Phrase can be extracted under very specific circumstances, and we are able to introduce new protections in the amount of time Halborn has been waiting to save. revealed.”
Apparently, the exploit affects all browser versions of MetaMask wallet versions prior to the 10.11.3 update and all operating systems if all three cases are met, but does not affect mobile versions.
MetaMask is warning affected users when moving their funds from. However, keep in mind that all three conditions need to be met for the vulnerability to work on older versions.