Security Notice: Extension Disk Encryption Issue

Researchers from Halborn found a case where user keys could be found unencrypted on disk in rare edge cases, which has been fixed for MetaMask Extension versions 10.11.3 and later

Dan Finlay
MetaMask

--

Background

Security researchers at Halborn have disclosed an instance where a Secret Recovery Phrase used by web based wallets like MetaMask could be extracted from the disk of a compromised computer under some conditions. The following does not impact MetaMask Mobile users, and impacts a small segment of MetaMask Extension users as well as users of other browser/extension wallets. We felt this violated the user expectations of our password lock feature, and could therefore put some users at risk. We have since implemented mitigations for these issues, so these should not be problems for users of the MetaMask Extension versions 10.11.3 and later. If all of the following three conditions apply to you, you may be at risk, and you should read below for next steps:

  • Your hard drive was unencrypted
  • You imported your Secret Recovery Phrase into a MetaMask extension on a device that is in possession of someone you do not trust, or your computer is compromised
  • You used the “Show Secret Recovery Phrase” checkbox to view your Secret Recovery Phrase on-screen during that import process. (see image)

Impact

This affects:

  • All desktop operating systems and browsers that we have tested.
  • We tested on Windows, macOS, and Linux, with Google Chrome, Chromium, and Firefox browsers.
  • All versions of the MetaMask extension (prior to v10.11.3) on all browser versions.

This does not affect MetaMask Mobile.

The Secret Recovery Phrase does get cleared eventually, but we cannot make guarantees about when at this time.

This vulnerability is most likely to affect users who had a device compromised or stolen soon after importing their Secret Recovery Phrase into MetaMask.

If all of the above conditions apply to you, then your Secret Recovery Phrase may be accessible to someone with access to the computer you imported your Secret Recovery Phrase on, and you may want to consider migrating funds from those accounts to be safe. We have prepared a guide to migrating account funds here. Use of any third party migration tools must be used at your own risk.

This vulnerability could be exploited either by a person with physical access to your machine or by malware. However, if your device is compromised by malware, there are already many other attacks we cannot protect against (like keyloggers, direct memory access, and program control).

If you think you are vulnerable to this

If your computer is not physically secure from people you do not trust, we recommend you enable full disk encryption on your system. Additionally, you are not affected by this if your funds are managed by a hardware wallet. You can learn more about our hardware wallet support here.

Affected users should consider migrating the funds from the accounts generated by that Secret Recovery Phrase to new accounts generated by a new Secret Recovery Phrase. We’ve set up a guide to help you do this if needed, and assembled a few software options that can help make it easier.

The rest of this document will provide some additional details, and suggestions about how to best keep your wallet safe. At a later date we will disclose more specifics about the nature of the issue, so that other software developers can avoid these issues themselves, but for now we are first disclosing recommended user actions to minimize the risks of theft.

How secure am I?

As stated before, if a computer is compromised–either outside of your physical control, or has malicious software on it–you can’t be sure of the security of any program running on it.

This is a problem that has been acknowledged and discussed by the 1Password team, a popular password manager. Explaining the difficulties in solving it, Jeffrey Goldberg, a Principal Security Architect at 1Password, stated: “This is a well-known issue that’s been publicly discussed many times before, but any plausible cure may be worse than the disease.”

If you’re using a password manager, you’re likely more secure than those who aren’t — yet even password managers aren’t immune to flaws.

Conclusion

Ultimately we’ve learned that our password encryption feature’s security was partially undermined by browser behavior. Since browsers themselves consider physical access attacks to be outside of their threat model, and our current wallet is built on top of the browser, it has proven labor-intensive to reduce the size of this attack surface, and it may be impossible to fully eliminate it. Ultimately it is likely that only full disk encryption can provide your computer strong safety against physical computer access.

Is this something that you should have expected? It depends whether you thought your Secret Recovery Phrase could be recovered on disk or not. If you assumed your computer needed to be kept secure, you should be fine. If you believed the MetaMask password implied that no one with access to your computer was able to extract your accounts, then this may be a surprise to you.

At a high level, it should generally be expected for computers/browsers/etc. to store text inputs on some level, whether temporarily or permanently. However, due to the nature of how significant it is to keep your Secret Recovery Phrase secure, this specific scenario needs attention brought to it so users can act accordingly.

Fortunately, it seems that the password is still providing some level of security. We’ve only found that the Secret Recovery Phrase could be extracted under very specific circumstances, and we’ve been able to introduce new protections over the period that Halborn has waited to disclose, and have a few more we plan to implement. We will continue to introduce additional security mechanisms that reduce this risk even more. This means it is still good practice to lock your wallet if you’re not using it (or passing your computer to someone else).

A few important things:

  1. Please take the time to enable full disk encryption on your computer. It’s the only way to be sure that someone with physical access to your computer isn’t able to extract all of its contents. We also recommend the usage of hardware wallets as an additional security measure.
  2. Clear your browser cache data (our research shows this may help some users in some cases)
  3. Remember that it’s your responsibility to keep your computer secure. No wallet or software can keep itself safe if the system it runs on is compromised. Take time to learn how to avoid installing a virus on your computer.

Here are a few guides for keeping different operating systems secure:

Conclusion

We’d like to express our thanks to the team at Halborn for responsibly disclosing this, and for all of their hard work helping to protect this space. See more of their work.

We’ve awarded Halborn $50,000 USD for this discovery.

Have concerns, want to learn more, or have a bug you’d like to disclose? Please reach out to us at security@metamask.io.

MetaMask is hiring! If you’re someone who can help make our products and this industry safer and more secure, consider joining our team.

--

--

Dan Finlay
MetaMask

Decentralized web developer at ConsenSys working on MetaMask, with a background in comedy, writing, and teaching.