Detecting an unlock from an unfocused tab is especially sketchy in my opinion. This means any app can detect when you are in the middle of *using* your Ethereum wallet.
-
-
Metamask and other browser wallets are in a tough position though with these transaction popups. If a legitimate dApp could put a custom message in the confirmation window then an attacker could mimic it.
Show this thread -
I'd love to see is the ability to use an ENS address as the recipient field in a transaction. For
@BloomToken, users are currently interacting with one of two contracts. If our end users saw our ENS address for every transaction then they'd be less likely to fall for a spoof.Show this thread -
I also want to clarify that I'm not saying that people should never use these in-browser wallets. Security is especially tough and nuanced when you are a platform for handling money and user identity. Even harder when you are on the development side of early adoption.
Show this thread -
In-browser wallets should be unlocked *per domain*. An advertiser shouldn't be able to log my ETH address in an unfocused tab just because I want to check on my crypto kitties.
Show this thread -
I'd also love to see at least an opt-in setting that locks my wallet again after sending a transaction. If a dApp wants to send multiple transactions without unlocking between each, they can use `web3.createBatch`. Metamask handles this well already
Show this thread -
An attack that sent ERC20 tokens would be effective. Unlike moving ETH (where Metamask would say how much ETH you are sending), a token transaction would just display the gas price AFAIK. More likely to trick people if they can't tell what is being sent.
Show this thread -
If you enjoyed this thread on in-browser wallet security, I started a separate thread about community security when running a token sale:https://twitter.com/backus/status/955241954320662528 …
Show this thread -
I turned this thread into a full blog post and also included a few updates! Checkouthttps://blog.hellobloom.io/using-an-in-browser-ethereum-wallet-heres-some-things-you-should-know-e01304b977e3 …
Show this thread
End of conversation
New conversation -
-
-
Surprised to realize we don’t! That was in out first UI, I guess we didn’t add it back yet… (adding ticket)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.