Breaking Change: No Accounts Exposed by Default

On November 6th, MetaMask will introduce an optional “Privacy Mode”, which requires that dapps ask permission to view users’ accounts. Dapps should update their code to support this feature, which will be enabled by default in the future.

Paul Bouchon
Aug 7, 2018 · 4 min read

Breaking change

In order to better protect user privacy, MetaMask and other dapp browsers will stop populating the injected Ethereum provider with user accounts by default. Instead, dapps must request access to user accounts, which will in turn ask the user to approve or deny access to the Ethereum blockchain. If the user approves access, the provider will be populated with accounts and the dapp can initiate account-requiring transactions as they normally would.

What this means for users

Over the next few months, users may begin to see more “Login” or “Connect” buttons on dapps. These buttons will prompt a popup from MetaMask (or other dapp browser of choice) asking if the user wants to grant the site access to their public account information. The extension will remember which sites have been approved until the user clears their list.

Draft UI for MetaMask’s user-approved account access implementation

Privacy mode

The MetaMask settings menu will expose a new “privacy mode” option that can be used to opt in to and out of this privacy-preserving behavior. If “privacy mode” is enabled, MetaMask will not automatically expose users’ account addresses to the sites they visit. Instead, sites must specifically request access to see users’ accounts. If “privacy mode” is disabled, legacy behavior will be maintained and MetaMask will automatically expose users’ account addresses to websites. This means that legacy dapps that are not immediately updated to support this change can still be used by disabling privacy mode.

What this means for developers

The Ethereum provider injected by MetaMask and other dapp browsers will now be available at window.ethereum for convenience. Before reading user accounts or initiating RPC method calls that require user accounts, such as eth_sendTransaction, dapps must now request access to user accounts by calling a new method on the provider: ethereum.enable(). This method returns a Promise that’s either resolved with user accounts after user approval, or rejected with an Error after user rejection.

Preparing your dapp

As of MetaMask v4.14.0, the provider is already available at window.ethereum and it exposes the new enable method. Calling this method today won’t trigger an approval popup and accounts will continue to be exposed to dapps until November 2nd; still, dapps can and should be updated as soon as possible to call the new enable method to ensure compatibility with the upcoming change.

  1. Install the build following these instructions.
  2. Enable “privacy mode” in the MetaMask settings menu.
  3. Report any issues on Github.

Conclusion

Making a breaking change has been a difficult decision for us, but we believe it is better than leaving our users prone to privacy violations. We hope this method of provider requesting will pave the way for a variety of more advanced login strategies, such as requesting a specific network, accounts of particular type, or even user-approved personal information.

MetaMask

MetaMask is a bridge that allows you to visit the distributed web of tomorrow in your browser today. It allows you to run Ethereum dApps right in your browser without running a full Ethereum node.

Paul Bouchon

Written by

MetaMask

MetaMask

MetaMask is a bridge that allows you to visit the distributed web of tomorrow in your browser today. It allows you to run Ethereum dApps right in your browser without running a full Ethereum node.