MetaMask Awards Bug Bounty for Clickjacking Vulnerability

MetaMask has granted a bounty of $120,000 to the United Global Whitehat Security Team (UGWST), including René Kroka and José Almeida, for their responsible disclosure of a critical security vulnerability. There were no known instances of this vulnerability being exploited, and the MetaMask team has already patched the issue for its users. The vulnerability, which affected the browser extension only, consisted of the ability to run the MetaMask extension as a hidden layer on top of another website, allowing attackers to trick users into revealing their private data or sending crypto-assets without realizing.

Background Information

iframes

The MetaMask browser extension can be viewed in two ways by users: as a small rectangular window that appears from the browser bar when clicking its icon, or in a full-page view. It cannot, and should not ever, be viewable within an iframe. An iframe is a widely-used feature of HTML that allows content from one website to be viewed within the context of a different webpage. In and of itself, iframe technology is not malicious nor represents a security threat. However, the technology can be used in deceptive ways to trick users; one way is what’s known as clickjacking.

Clickjacking

The essential technique at play in this vulnerability consists of concealing the fact that MetaMask is open, and that the user is in fact clicking on it. In this scenario, the user is directed to a webpage, let’s say an in-browser video game. The page loads, and the user has to click on a number of buttons in order to set up the game and begin playing it. The user clicks through these prompts, not realizing that the video game has, imposed over top of it, their MetaMask extension, open in an iframe with the opacity set to zero: and rather than clicking on prompts in a video game, they are clicking through prompts in MetaMask to send their crypto-assets to a malicious actor.

UGWST’s Discovery

What UGWST reported to MetaMask was that, under certain circumstances, they could get the MetaMask extension to run in an iframe. They illustrated that a bad actor could harness certain resources made web-accessible by the MetaMask extension to do so.

UGWST reported this vulnerability responsibly, and the MetaMask security team immediately applied a fix to the extension, which has been pushed out to all users. Again, there were no known instances of this vulnerability ever being exploited.

For your security, make sure your MetaMask extension has been updated at least to version 10.14.6. If you need help manually updating your MetaMask version, see here.

Staying Safe in Web3

MetaMask considers user security to be of maximum importance, especially in an ecosystem where users are the custodians of their own data. MetaMask’s goal is to enable and empower users, and with that power and capability comes the corresponding accountability for their own security.

If you’re new to the space, take a look at our Knowledge Base to learn some security essentials, and no matter your experience level, we recommend you enable full-disk encryption to protect your data.