Fire Crypto Wallet Browser Extension Basic Privacy Analysis

fire crypto wallet extension privacy review

First, lets take a look at the privacy tab provided by Chrome


Quite a bit of user activity is collected, and is only sold to ‘approved third parties’.

When we install the extension, chrome is immediately sent to in a new tab.


This generates quite a bit of traffic, specifically to


On the right side of the above image are timestamps – about 18 requests/second being sent from your browser to

The HTTP verbs POST and OPTIONS are used to maintain contact with this server. This amount of requests in quick succession will lead to the following.

rate limit

Our browser eventually receives the HTTP response code 429 Too Many Requests.

twitter ads

Here we are served up Twitter ads from The highlighted ‘Referer‘ header shows that this request for Twitter’s javascript was generated as a result of the forced visiting of by the extension.


Above, the ‘Referer‘ header is not from the NFT mint page, but Fire’s normal front-end subdomain. It loads javascript from in your browser.

Below is a request to


Notice I omitted the response from the server? That is because the following fields with corresponding values are returned by the server: ‘country_code‘, ‘country_name‘, ‘city‘, ‘postal‘, ‘latitude‘, ‘longitude‘, ‘ipv4‘, ‘state‘.

The provided latitude and longitude as displayed by Google Earth placed me 2.2 miles from my house

As you might imagine, I am not quite a fan of this. Y’all should know by now to check the Referer header, Fire’s NFT mint subdomain at work.

And even though returns your ip address, that’s not enough:


This request to simply returns your ip address. Here we see the ‘Referer‘ is from the ‘app’ subdomain. Remember that I never add funds to these test wallets, so unfortunately we will not see a TX in action.

insufficient funds

Trying to mint the NFT results in this page, showing we have insufficient funds. Below is the HTTP traffic of this action.

insufficient funds request

Here is a small glimpse into the actual functionality of the extension. This HTTP/2 POST request is sent to The POST body, displayed under the request headers, are sent to ‘/simulator/transaction‘. As stated by Fire’s website, “Introducing Fire – an extension that simulates transactions, showing you exactly what will go in and out of your wallet before you sign the contract. All under your control with your current wallet.”

This below request to www.4byte.dictionary is odd as it lacks a Referer header. I have no reason to believe that MetaMask created this request.


Search results describe the website as an ‘Ethereum Signature Database’. The request includes the HTTP Get parameter ‘hex_signature=‘ with a 4 byte value represented in hex, sent to the endpoint ‘/api/v1/signatures/‘. The value of  ‘text_signature‘ in the response section being ‘mint()‘ leads me to believe that this request was generated by Fire.

And of course, the obligatory requests to


The highlighted text shows the actions we take being tracked and sent to Fire’s sentry ingest,

Related Articles