Websites Detect Usage MetaMask
4 min read

Using an in-browser Ethereum Wallet? Other Websites Can Identify It

By Editorial Team

If you are a user of an in-browser Ethereum wallet such as Metamask and Parity, then it is possible that other websites are able to identify you as an Ethereum user.

This is according to a thorough disclosure by a twitter user, John Backus. He took to twitter to give a full Proof of Condition (PoC) of how another website in separate browser tabs can identify you.

The crux of the matter lies in the automatic insertion by the browser wallets some web3 global objects. These are injected onto the page that you are visiting with Parity even disclosing your wallet address.

Even though the websites in question are not able to send transactions, there is something unsettling in knowing that other websites can identify you as an Ethereum user. Moreover, would you want someone to know how much ETH you hold?

Detecting Wallet Unlocks

The researcher went on to demonstrate through animated gifs how another website in a separate browser tab could add event listeners in their code. This would mean that they would be able to detect when you are were unlocking your wallet.

The other website will then be able to get information on your public address as well as spot that you have just unlocked your browser wallet. It is this knowledge that is particularly troubling.

So, armed with this information, the attacker knows that you are probably about to send a transaction. As seen below, they can spoof the MetaMask confirmation window with their own that will allow them to fool the user into sending the funds.

There are also other attack vectors that could present themselves. The malicious site could check the web3 properties and see that the user is specifically a MetaMask user. Hence, they could just as easily insert their own lookalike MetaMask logo in the top right.

Of course, having funds stolen is only one aspect of it. There is also the fact that other websites can specifically track and target you with ads. They will already have a profile of you and have substantial data on you.

Potential Solutions

Although these are disconcerting demonstrations, the developer did mention that the team at MetaMask had been in open discussion on the dangers of the global web3 object and the manner in which it could be abused.

He also went through a few solutions that the developers at MetaMask could implement in order to neutralise the risks such as white labelling potential domains for calling MetaMask as well as potential extension.

If you are somebody who is really concerned of the potential for tracking in the interim then you can consider disabling MetaMask as a default option in chrome if you are not using it. This means that the attacker cannot detect if the app is enabled or not.

There are also some UI improvements that the developers could consider such that potential attackers cannot spoof the MetaMask notification window. They could include a notification that explains which domain has requested the transaction.

Public Blockchain Weaknesses

The blockchain can be a double edged sword in this regard. Due to the fact that it is fully open to public scrutiny, the opportunity for large scale data mining now exists. Consumer data is incredibly valuable and companies are no doubt actively trying to find new ways to track users.

Many would then claim that this adds weight to the case for privacy coins such as Monero and Zcash. These coins do not allow identifiable user data onto the blockchain.

Yet, for those users who want to interact with dApps, Ethreum is still the only effective option. As with most of these types of attacks, it relies on the user’s complacency to authorise a bad transaction.

Hopefully, when the Ethereum Domain Names start replacing traditional addresses, the opportunity for spoofing will be reduced. Users will be able to easily identify that the recipient address is as intended.

Editors at large. Posting the latest news, reviews and analysis to hit the blockchain.
View all posts by Editorial Team -> Best Crypto Deals ->

Related Posts

FTX Exchange
Withdrawals not Halted at FTX: Instead Binance will Buy FTX
FTX Exchange

Withdrawals not Halted at FTX: Instead Binance will Buy FTX

November 9th, 2022 3 min read
OKX invests in WAX
OKX Blockdream Ventures Invests Millions in GameFi and NFT Development on WAX
OKX invests in WAX

OKX Blockdream Ventures Invests Millions in GameFi and NFT Development on WAX

June 3, 2022 2 min read
Binance partners with the weekend
Binance Partners with The Weekend to Provide First-Ever Web 3 Enhanced World Tour
Binance partners with the weekend

Binance Partners with The Weekend to Provide First-Ever Web 3 Enhanced World Tour

June 3, 2022 2 min read
21Shares Releases Sixth State of Crypto Report
21Shares Releases Sixth State of Crypto Report: Summary
21Shares Releases Sixth State of Crypto Report

21Shares Releases Sixth State of Crypto Report: Summary

June 2, 2022 3 min read
Algorand and MakerX Commit 1M Algo to Migrate Terra Users to Algorand
Algorand and MakerX Commit 1M Algo to Migrate Terra Users to Algorand
Algorand and MakerX Commit 1M Algo to Migrate Terra Users to Algorand

Algorand and MakerX Commit 1M Algo to Migrate Terra Users to Algorand

June 2, 2022 2 min read
Regulators are “Not Allowing” Banks to Engage with Crypto
Bank of America CEO: Regulators are “Not Allowing” Banks to Engage with Crypto
Regulators are “Not Allowing” Banks to Engage with Crypto

Bank of America CEO: Regulators are “Not Allowing” Banks to Engage with Crypto

June 1, 2022 2 min read
US Conference of Mayors Introduces Blockchain Resolution
US Conference of Mayors Introduces Blockchain Resolution
US Conference of Mayors Introduces Blockchain Resolution

US Conference of Mayors Introduces Blockchain Resolution

June 1, 2022 2 min read