If you are a user of an in-browser Ethereum wallet such as Metamask and Parity, then it is possible that other websites are able to identify you as an Ethereum user.
This is according to a thorough disclosure by a twitter user, John Backus. He took to twitter to give a full Proof of Condition (PoC) of how another website in separate browser tabs can identify you.
The crux of the matter lies in the automatic insertion by the browser wallets some web3 global objects. These are injected onto the page that you are visiting with Parity even disclosing your wallet address.
Metamask and Parity inject a global web3 object into the page. For example, the attached screenshots show Metamask and Parity both injecting web3 into the page I'm tweeting from. Parity even exposes the current account address by default. pic.twitter.com/NL9ZCtw3bM
— John Backus (@backus) January 21, 2018
Even though the websites in question are not able to send transactions, there is something unsettling in knowing that other websites can identify you as an Ethereum user. Moreover, would you want someone to know how much ETH you hold?
Detecting Wallet Unlocks
The researcher went on to demonstrate through animated gifs how another website in a separate browser tab could add event listeners in their code. This would mean that they would be able to detect when you are were unlocking your wallet.
The other website will then be able to get information on your public address as well as spot that you have just unlocked your browser wallet. It is this knowledge that is particularly troubling.
So, armed with this information, the attacker knows that you are probably about to send a transaction. As seen below, they can spoof the MetaMask confirmation window with their own that will allow them to fool the user into sending the funds.
If the user just unlocked their wallet for another tab then they are probably about to send a transaction. The attacker can detect the unlock, wait 30 seconds, then pop up their own transaction. Attached gif is an example attack when the user is in the middle of using an exchange pic.twitter.com/1FljviXydN
— John Backus (@backus) January 21, 2018
There are also other attack vectors that could present themselves. The malicious site could check the web3 properties and see that the user is specifically a MetaMask user. Hence, they could just as easily insert their own lookalike MetaMask logo in the top right.
Of course, having funds stolen is only one aspect of it. There is also the fact that other websites can specifically track and target you with ads. They will already have a profile of you and have substantial data on you.
Although these are disconcerting demonstrations, the developer did mention that the team at MetaMask had been in open discussion on the dangers of the global web3 object and the manner in which it could be abused.
He also went through a few solutions that the developers at MetaMask could implement in order to neutralise the risks such as white labelling potential domains for calling MetaMask as well as potential extension.
If you are somebody who is really concerned of the potential for tracking in the interim then you can consider disabling MetaMask as a default option in chrome if you are not using it. This means that the attacker cannot detect if the app is enabled or not.
There are also some UI improvements that the developers could consider such that potential attackers cannot spoof the MetaMask notification window. They could include a notification that explains which domain has requested the transaction.
Public Blockchain Weaknesses
The blockchain can be a double edged sword in this regard. Due to the fact that it is fully open to public scrutiny, the opportunity for large scale data mining now exists. Consumer data is incredibly valuable and companies are no doubt actively trying to find new ways to track users.
Many would then claim that this adds weight to the case for privacy coins such as Monero and Zcash. These coins do not allow identifiable user data onto the blockchain.
Yet, for those users who want to interact with dApps, Ethreum is still the only effective option. As with most of these types of attacks, it relies on the user’s complacency to authorise a bad transaction.
Hopefully, when the Ethereum Domain Names start replacing traditional addresses, the opportunity for spoofing will be reduced. Users will be able to easily identify that the recipient address is as intended.