My team and I discovered a critical privacy #vulnerability in the most popular #crypto #wallet.
Are you using MetaMask ?
Well, I have bad news for you - your #privacy is at risk!
Conversation
Are you saying, that by default, MetaMask is using `image_original_url` key from the OS response instead of OS image proxy?
5
8
Also, and I'm not assuming bad faith, but did you not respect MM timeline because you just launched a token and wanting to create a lot of noise?
I understand fully the privacy concerns, but MM did tell you they are actively working on it and gave you a timeline
2
12
What timeline ? 6+ months to fix an issue that can be solved with an explicit user prompt ? I can fix that that within one day.
Also have a look at industry best practices for vulnerability disclosure, you won't find anything near that timeline.
1
8
6 months seems assumed here, unless you didn't give the full information in your writeup. From Dec2021 to Q2 2022, it is 5 months (including December). From quick research, it's not unhead of to be more than 90 days, for example ZDI has a 120 day policy
zerodayinitiative.com/advisories/dis
2
1
Yeah, I think this issue has been widely known for a long time, so I don't think a disclosure period applies. Alex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it.
Quote Tweet
Great reason for NFT viewers to not render centralized metadata by default (http tokenURI links). Only render content-addressable storage links like IPFS, or on-chain base64 embeds. Also creates a valuable forcing function for NFT creators to Do It Properly™. twitter.com/kurtybot/statu…
We're currently also taking some time to improve our team organization to ensure we maintain more ongoing effort to security related issues. We have lots of ways we want to improve user safety and privacy, and we need to be able to improve much more, much faster.
1
15
So Dan, what would the proper approach be here? Only render ipfs links? Or ask the user for each and every url link and keep a list of approved urls client side?
1
5
Show replies
This has been addressed, by the way. MetaMask no longer auto detects NFTs. I understand this tweet is being circulated by some people as proof of an outstanding issue. It is not.
1
Why wasn't it addressed sooner? Are there other vulnerabilities that you're sitting on and not doing anything about?