The key to your seemingly secure cryptocurrency wallet is potentially not as well hidden as most think. As it turns out, there’s a vulnerability within your browser that may give threat actors unbridled access to your crypto investments. MetaMask and Phantom are both concerned.
The vulnerability was first spotted by Halborn, an organization dedicated to the safety of blockchain and cryptocurrency. Halborn discovered a flaw in how browsers save information in September of 2021 and subsequently reported it to wallet vendors like MetaMask and Phantom for further investigation.
Anyone who’s had any exposure to the world of cryptos will know that wallets don’t work with passwords like everything else. Instead, most require you to enter a key comprised of numerous words in a specific order. This essentially makes it impossible for threat actors to use the usual means of determining your password, as there isn’t a password to speak of. Instead, you have a phrase of random common nouns that means nothing to anyone except you.
The newly discovered vulnerability, tracked as CVE-2022-32969, is caused by how browsers handle the safekeeping of this randomly generated phrase. There’s a difference in the way browsers regard information entered into password fields – the box where you enter a standard password – and any other text field.
Unfortunately, the text fields used for the randomly generated key you use for your crypto wallets don’t count as password fields and therefore any text entered into them saves to the device’s disk drive as plain text. The reason why standard text fields are handled this way is so that your PC can recover information you’ve entered after a crash. That information shouldn’t include cryptocurrency wallet credentials, but unfortunately, it does.
According to Halborn, the issue is intensified when users check the ‘Show Secret Recovery Phrase’ checkbox while accessing their wallets. This check box specifically triggers local storage and is unfortunately incredibly commonly used due to crypto wallet phrases being long and difficult to memorize due to their randomly generated and illogical nature. Once this seed phrase is stored on your device’s disk drive, it doesn’t matter if you restart or reboot your system; the wallet key will remain on your device and accessible to threat actors.
In other news, there are numerous phishing pop-ups known to appear on big crypto websites. It seems the future may not rest safely with cryptocurrency until all of these vulnerabilities are sorted out.
