If you are using an in-browser Ethereum wallet (e.g. Metamask, Brave, Parity) then any website can detect if you are an Ethereum user. I wouldn't be surprised if some advertisers are already collecting this information.
-
Show this thread
-
Metamask and Parity inject a global web3 object into the page. For example, the attached screenshots show Metamask and Parity both injecting web3 into the page I'm tweeting from. Parity even exposes the current account address by default.pic.twitter.com/NL9ZCtw3bM
7 replies 20 retweets 70 likesShow this thread -
These websites can't send transactions on your behalf of course (not without popping up a confirmation window) but do you really want any website owner or advertiser to know that you hold crypto? Do you want them to know how much ETH you own?
3 replies 15 retweets 71 likesShow this thread -
Even though Metamask is locked by default (meaning public addresses aren't exposed) it is trivial to listen for a wallet unlock. When you unlock your Metamask wallet, it unlocks it across all tabs. Attached gif is an example app that alerts when it detects a wallet unlock.pic.twitter.com/4eRozh9SBK
1 reply 21 retweets 82 likesShow this thread -
Detecting an unlock from an unfocused tab is especially sketchy in my opinion. This means any app can detect when you are in the middle of *using* your Ethereum wallet.
2 replies 7 retweets 52 likesShow this thread -
If the user just unlocked their wallet for another tab then they are probably about to send a transaction. The attacker can detect the unlock, wait 30 seconds, then pop up their own transaction. Attached gif is an example attack when the user is in the middle of using an exchangepic.twitter.com/1FljviXydN
3 replies 30 retweets 99 likesShow this thread -
Replying to @backus
Can attacker trigger send button after open the window ?
1 reply 0 retweets 0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.