If the user just unlocked their wallet for another tab then they are probably about to send a transaction. The attacker can detect the unlock, wait 30 seconds, then pop up their own transaction. Attached gif is an example attack when the user is in the middle of using an exchangepic.twitter.com/1FljviXydN
-
Show this thread
-
A lot of other small attack opportunities IMO that exist as long as web3 is injected into every page. You can tell if someone is specifically a Metamask user by checking `web3.currentProvider.isMetamask`. Why not pop up your own Metamask lookalike in the top right?pic.twitter.com/gw8drsiE3k
1 reply 8 retweets 48 likesShow this thread -
Regardless of whether the wallet is currently locked, you can use the current network id on web3 to see if the user was last using the testnet or mainnet. If they're on anything besides mainnet, they are probably a developer and likely have higher than average crypto holdings.
1 reply 6 retweets 30 likesShow this thread -
To give Metamask credit, they do have several issues on Github open discussing issues around globally available web3 instance: - https://github.com/MetaMask/metamask-extension/issues/799 … - https://github.com/MetaMask/metamask-extension/issues/12 … - https://github.com/MetaMask/metamask-extension/issues/537 … -https://github.com/MetaMask/metamask-extension/issues/714 …
1 reply 5 retweets 40 likesShow this thread -
In my opinion, the best immediate stopgap these extensions should add is something similar to other browser permissions like how we grant access to location information. I think the Metamask team is looking into doing this long term: https://github.com/MetaMask/metamask-extension/issues/813 …pic.twitter.com/AM6KUpIIoP
1 reply 8 retweets 36 likesShow this thread -
Potential short term solution: 1. Hardcode that only http://metamask.io/whitelist can call invoke some whitelist functionality in extension 2. dApps opens popup for http://metamask.io/whitelist?url=example.com … 3. Extension asks if you want to give http://example.com access to your wallet
1 reply 7 retweets 42 likesShow this thread -
Restricting this functionality to their domain means that nothing has to be injected into every page. Popup means any page can really easily initiate the whitelist process without having to write browser vendor specific extension interactions.
1 reply 4 retweets 20 likesShow this thread -
Short term solution would then be to add whitelisting as an opt-in feature (so you don't break existing integrations and make people regret writing their app to depend on Metamask). Security conscious users can opt-in right away and app developers can plan for deprecation.
1 reply 3 retweets 20 likesShow this thread -
In the meantime, I'd recommend users disable Metamask by default in their browser and then enable it when they want to use it. Unlike unlocking a wallet, I wasn't able to detect (from an already open and unfocused tab) when a disabled extension was enabled.pic.twitter.com/Tn3GCVeMuH
4 replies 12 retweets 44 likesShow this thread -
Replying to @backus
Can’t metamask have a simple switch on the extension icon to toggle it on and off without needing to go to extensions panel?
1 reply 0 retweets 0 likes
They could, but this is just my recommendation until there is a better solution. I think being able to opt into a whitelist is something they could roll out in Q1 or early Q2 and would be a way better solution.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.