July flew by, and we’re back with another update! We’ve got some big announcements here, and a fresh version of the extension (4.9.0) just hit browsers near you. Read on to learn what your new MetaMask has in store.

Trezor support

We’re happy to announce support for Trezor hardware wallets! If you have a Trezor, you can now connect it to MetaMask and use it to sign transactions across the web. From the top-right menu, click “Connect Hardware Wallet,” follow a couple easy steps, and you’re ready to go.

For best results, make sure your Trezor is updated to the latest firmware. And if you don’t have a Trezor, get one! Remember, you shouldn’t be using MetaMask (or your main computer) to store large amounts of Ether. Hardware wallets greatly reduce your risk to hackers. Hat tip to Bruno B. for the solid work (#4625). Read more here.

Breaking Change: No longer injecting web3 automatically

For anyone who cares about privacy on the web, this is big news. For a long time, MetaMask (and most other dapp browsers) have automatically injected an Ethereum provider and web3 instance into every page you visit. This has made it easy for dapps to get up and running as the ecosystem evolved. On the downside, this is a huge privacy issue: exposing the web3 object and a user’s Ethereum addresses could give malicious sites enough info to fingerprint, track, and phish in a seriously dangerous way.

MetaMask (along with Status, Mist, and imToken) plan to stop injecting an Ethereum provider and web3 instance by default. Instead, dapps can use the `postMessage` API to request access from the user. To the user, this will look a bit like a traditional log in flow.

Since this change has implications for every dapp out there, we’re taking it slow. We aim to make this change on November 2, and we’ll be releasing example code and UI components along the way to keep things simple for dapp developers.

To learn more, check out our blog post or the original EIP 1102. This change also leads neatly into an updated version of the Ethereum provider API, described in EIP 1193.

Draft UI for MetaMask’s EIP 1102 implementation (log-in per site)

ENS is here

This new version of MetaMask adds support for resolving ENS domains! When you type a `.eth` URL in your web browser, MetaMask will resolve the ENS Public Resolver `getContent` hash to the corresponding IPFS hash, and redirect your browser to content served from Infura. [Head to metamask.eth to try it out!] or read this tutorial to posting your own sites on ENS & IPFS! Loading sites over ENS allows sites to be updated by smart contracts instead of the traditional DNS system, potentially reducing the risk of DNS related hacking and phishing that we’ve seen so much of lately. Big shout-out to Phyrex Tsai of portal.network for making this contribution (#4405). Check him out at phyrextsai.eth with MetaMask installed!

The ENS/IPFS integration is currently reliant on Infura for its distribution and security, but we’re working towards including more and more of the security client-side over time.

The disappearing fox

On Wednesday 7/26, the MetaMask extension was mistakenly removed from the Chrome store for several hours. As most of our users are on Chrome, this caused trouble for our release process and our users’ security. We’re back up and running smoothly, and you can read our informal post-mortem here.

MetaMask is hiring!

Our family is growing. If you’re a product designer, security expert, or Javascript whiz — we’d love to chat. If you know someone, send them our way!

What else is new?

Version 4.9.0 is out and looking better than ever. Most of our UI improvements happen on the Beta UI, and you haven’t switched over yet, you’ll see a screen on startup suggesting you give it a try.

  • The fresh version includes a new Confirmation Screen (below), with a simpler visual hierarchy, displays for contract method names (from the Parity method signature registry) a hex data input, a clearer summary of value for token transfers, and even warnings for nuanced interactions like “approve” token function calls.
New confirmation screens with function names and transaction data
  • MetaMask is lucky to attract a lot of first-time blockchain users. For many, it’s not obvious that token balances are tracked on contracts, unlike the Ether balance intrinsic to an account. Now, known tokens will appear automagically. We’ll scan our list of known popular tokens and check your address against each, hopefully reducing some clicks & headaches. (#4683)
  • For our power users out there, MetaMask can get cluttered with loose accounts. You’re now able to remove loose or imported accounts in the Beta UI from the drop-down menu in the top right. (#2638)
You can now remove loose accounts from the top-right menu
  • The “Send” screen in our Beta UI has a few new tweaks, including an input for optional hex data, more specific error messaging, and a better display of your account address. (#4814, #4694, #4822)
  • The “Home” screen in the Beta UI has a couple upgrades as well: we’re no longer showing rejected transactions on the activity log, and we’ve added small tooltips to make navigation a little smoother. (#4667, #4779)
  • The UI component we use for displaying signature requests now handles newlines and booleans (#4167, #4640). And if you’re a developer out there using `eth_signTypedData`, heads up! The next version of MetaMask will update to the recently-merged EIP 712 spec, and you may need to update your application accordingly. Check our open PR here.
  • Sometimes the Ethereum blockchain is slow. Rather than stay glued to the extension to wait for your transactions to land, we’ll now show you a browser notification when your transactions confirm or fail. (#4080)

That’s not all — we’ve patched up some odds and ends around the extension. Bug fixes include:

  • Preventing multiple password submission (#4769)
  • Don’t persist seed phrase during Old UI restore flow (#4735)
  • Stop closing other pop-ups accidentally (#4592)
  • Handle token amount overflow (#4575)
  • Updates to our contract metadata list (#4709)

Heads up: New Permissions

Our ENS support and browser notifications require new permissions for interacting with your browser. If you’re using Chrome and you see a new permissions request, it’s legit. We’re asking to change data on .eth and .test sites, as well as permission to display browser notifications.

By the numbers

As always, huge thanks to our wonderful community for their feedback, support, and contributions to help MetaMask continually improve.

In the past month, we saw:

✅ 68 PRs merged

🛠 439 commits

💫 117 Github issues closed, 77 opened

💥 43k lines of code added, 36k deleted