Even though Metamask is locked by default (meaning public addresses aren't exposed) it is trivial to listen for a wallet unlock. When you unlock your Metamask wallet, it unlocks it across all tabs. Attached gif is an example app that alerts when it detects a wallet unlock.pic.twitter.com/4eRozh9SBK
-
-
Some UI improvements would also help the transaction spoofing example I gave. The browser should switch to the tab that created the transaction. The confirmation window should probably have a brightly colored banner that says "http://example.com created this transaction."pic.twitter.com/eYJ60CpZVN
Show this thread -
Metamask and other browser wallets are in a tough position though with these transaction popups. If a legitimate dApp could put a custom message in the confirmation window then an attacker could mimic it.
Show this thread -
I'd love to see is the ability to use an ENS address as the recipient field in a transaction. For
@BloomToken, users are currently interacting with one of two contracts. If our end users saw our ENS address for every transaction then they'd be less likely to fall for a spoof.Show this thread -
I also want to clarify that I'm not saying that people should never use these in-browser wallets. Security is especially tough and nuanced when you are a platform for handling money and user identity. Even harder when you are on the development side of early adoption.
Show this thread -
In-browser wallets should be unlocked *per domain*. An advertiser shouldn't be able to log my ETH address in an unfocused tab just because I want to check on my crypto kitties.
Show this thread -
I'd also love to see at least an opt-in setting that locks my wallet again after sending a transaction. If a dApp wants to send multiple transactions without unlocking between each, they can use `web3.createBatch`. Metamask handles this well already
Show this thread -
An attack that sent ERC20 tokens would be effective. Unlike moving ETH (where Metamask would say how much ETH you are sending), a token transaction would just display the gas price AFAIK. More likely to trick people if they can't tell what is being sent.
Show this thread -
If you enjoyed this thread on in-browser wallet security, I started a separate thread about community security when running a token sale:https://twitter.com/backus/status/955241954320662528 …
Show this thread -
I turned this thread into a full blog post and also included a few updates! Checkouthttps://blog.hellobloom.io/using-an-in-browser-ethereum-wallet-heres-some-things-you-should-know-e01304b977e3 …
Show this thread
End of conversation
New conversation -
-
-
Can’t metamask have a simple switch on the extension icon to toggle it on and off without needing to go to extensions panel?
-
They could, but this is just my recommendation until there is a better solution. I think being able to opt into a whitelist is something they could roll out in Q1 or early Q2 and would be a way better solution.
End of conversation
New conversation -
-
-
I'm not a heavy metamask user, so maybe this wouldn't work for all - but I setup a separate chrome profile for it and have the extension enabled just for that profile. Then when I need to use metamask, I only open that profile temporarily.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
good idea, unfortunately
@metamask_io requires unlocking wallet upon re-enabling the extensionThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.