Help Desk Solution Security Incident for MetaMask Users (December 7th, 2017)

Overview

  • MetaMask provides support (support.metamask.io) to its users through a third-party help desk solution
  • The third-party provider, HappyFox, had a security breach, where information from users tickets was viewable by an external third party, this vulnerability has since been patched
  • Only users who used the third-party help desk between June 27th, 2017 and December 7th, 2017 were affected; ll other users remain unaffected and their data is secure
  • MetaMask is working with HappyFox to investigate the breach and data leak
  • MetaMask is switching to a different help desk provider on December 27th, 2017. In the meantime, our current help desk system has been patched and is no longer susceptible to this vulnerability
  • If you think you may have been affected by the breach, you should immediately follow the instructions in the ”Recommendations” section below

A note on account access and security:

If during the ticket resolution process you shared either your MetaMask 12 word seed phrase or your account’s private key, we strongly urge that you both migrate to a new seed phrase and transfer your assets to a known secure address. We have provided resources below in the “Recommendations” section to assist you through this process. As a reminder: Please do not share your private key or seed words with anyone. The MetaMask team will never ask for or encourage you to share this information.

What Happened?

On December 8th, 2017, HappyFox notified the MetaMask team that their software had been the subject of a data security incident, where tickets were accessed and viewable by an external party. MetaMask software and infrastructure was in no way compromised. Only MetaMask users who consented to use this third party help desk service when submitting tickets are affected by the breach. The general population of MetaMask users remain unaffected.

After discussing the incident with HappyFox as well as conducting an internal security review, we must conclude that the following information from MetaMask user support tickets between the dates of June 27th, 2017 and December 7th, 2017 was leaked to an unknown external third party:

  • Support user contact names
  • Email addresses
  • Phone numbers (if voluntarily shared by the end-user)
  • Ticket body content
  • Contact messages/replies
  • Staff messages/replies

We never ask for nor encourage users to share sensitive data in any circumstance. As MetaMask stores and encrypts all data associated with accounts locally on the browser, we never ask for users to send their seed phrases or private keys. However, we feel we must alert the community to the potential threat to users’ security and privacy.

If during the ticket resolution process you shared either your MetaMask 12 word seed phrase or your account’s private key, we strongly urge that you both migrate to a new seed phrase and transfer your assets to a known secure address. We have provided resources below in the “Recommendations” section to assist you through this process.

Who Was Affected?

The security incident resulted in 94% of all MetaMask tickets between the dates of June 27th, 2017 and December 7th, 2017 were exposed to an unknown individual through use of HappyFox’s software print ticket function.

When Did This Occur?

The incident occurred on December 7th, 2017, when at 21:08:34 (UTC) HappyFox, our external help desk solution, began observing an uncommonly large number of requests from a set of IPs on their end. By 21:20:05 (UTC) that same day, HappyFox had identified and applied a patch to mitigate the issue. Shortly thereafter, at 22:08:25 (UTC), the individual exploiting the data leak made contact with HappyFox. MetaMask staff were alerted of the data leak the following day on December 8th, 2017. MetaMask’s account was one of several vendor accounts that were subject to the leak.

Where Did This Happen?

The data leak occurred on the third party’s ticketing software, a service that they have hosted on Amazon Web Services. HappyFox does not know the legal identity or the geographic location of the individual responsible for the data leak.

Why Did This Happen?

The reason for the data leak and its subsequent exploitation is unknown at this time. The proof of concept used by the individual responsible for the data leak was used directly on HappyFox’s live environment without their explicit permission or knowledge. Only after conducting and validating the proof of concept on HappyFox’s live environment did the individual make first contact with HappyFox in attempts to secure compensation in the form of a bug bounty. As of December 15th, 2017, the individual had not yet received compensation from HappyFox for identifying and acting on the data leak exploit, and it must also be noted that HappyFox is in the process of establishing their bug bounty program. We are continuing to investigate the extent of the data leak.

How Did This Happen?

Based on discussions with HappyFox, It seems the individual created a script to loop through URLs and pull data from their software’s print ticket function through the exploitation of broken authentication business logic. The print ticket function has since been disabled and the attack vector is no longer valid. To reiterate, this security incident occurred only on HappyFox’s end. MetaMask’s software and infrastructure remain untouched and intact.

Recommendations

We advise that you use this incident as an opportunity to revisit your security practices by migrating to a new 12 word seed phrase and moving all assets to known secure addresses. We have included the below guides and knowledge base articles to assist you through this process.

MetaMask Knowledge Base: Migrating to a New Seed Phrase:

https://support.metamask.io/kb/article/17-migrating-to-a-new-seed-phrase

MyEtherWallet: Protecting Yourself and Your Funds: https://myetherwallet.github.io/knowledge-base/security/securing-your-ethereum.html

Medium: MyEtherWallet: Stop Getting Phished. Here’s How:

https://medium.com/@myetherwallet/stop-getting-phished-heres-how-310694d8fc5f

Next Steps

In response to this incident, the MetaMask team has decided to transition to a new help desk solution. Using what we have learned from this incident and through researching the ever evolving threat landscape, we have identified Help Scout as our new ticket management system. MetaMask will begin the process of transitioning to our new help desk system on December 27th, 2017.

In the meantime, our current help desk system has been patched and is no longer susceptible to the print ticket vulnerability. We ask that you continue submitting tickets and interacting with MetaMask through the ticket management system at support.metamask.io, both now and after we have transitioned to the new third party ticket management system.