Metamask Wallet Browser Extension Basic Security Analysis
This post was written by /u/RoofTopPortaPotty in the ETHFinance Subreddit and then I reposted it here with permission this time.
This is the third installment of my series of posts regarding the privacy of various Chrome browser crypto wallet extensions. The post that inspired this series can be found here on Reddit, where we looked at Ledger Live. I’m happy to report that after blocking the listed domains as described in that post, I am still able to use my Ledger device to send and receive as normal.
Metamask Browser Extension
The first official post of this series focused on Rabby. The second entry we looked at Tally Ho. Ok here’s the deal. Analyzing Frame is on my plate, but it is a bit of a different beast being a desktop application that connects to the browser extension. I have always been a Firefox and Metamask user, and wanted to know more about how it works.
I followed the same steps as before to download and analyze the extension, which can be found at The official Chrome extension site
When installed, MetaMask immediately contacts Ankr’s API, obtaining chain information very similarly to Tally Ho.
Again, a request to the Avalanche network that is almost identical to the one sent by Tally Ho.
MetaMask grabs a few phishing domain lists.
min-api.cryptocompare.com is used as a price feed for ETH.
This domain must handle a ton of requests.
Above is the first request to YouTube generated by MetaMask. It loads ‘What is MetaMask?’ as an intro to MetaMask video.
MetaMask silently loads every piece of javascript youtube has to offer, so we again meet our friend Double Click.
There are quite a few requests to Doubleclick. In fairness to MetaMask, I could not find anything that leads me to believe that they are using it to track you. This is YouTube’s tracking at work. Though, for context as to why I still find this so offensive I must link my personal cybersecurity blogpost pertaining to javascript. If you wish to see some examples of what offensive and defensive security look like, check out my other posts there. Still all very basic stuff.
Now lets take a look at some of the requests to Sentry
This is the first request, doesn’t look like user activity tracking to me. Though, they do collect your browser User-Agent. Not a huge deal, but consider what /u/0xDepositContract has to say.
We see a similar request to Sentry soon after, with the sid and time values having changed. Also notice the response is 429 Too Many Requests. And below you can see what is sent to Sentry when you unexpectedly close your browser.
Now beginning the process of creating a new seed phrase, I chose to allow telemetry. I believe that everything should be secure by default, and want to see the worst case scenario. We immediately see the below request.
Now this is user activity tracking
Not with Sentry, but Segment! MetaMask is reporting that the extension is successfully installed. Also notice the highlighted ‘userId‘ field and value. Next up we see the request having to do with ‘Metrics Opt In’.
Whats up with the null ‘anonymousId‘? Odd considering below you can see we’re back to the original ‘userId‘.
This request notifies Segment that I’m on the page asking if I want to import or create a seed.
Here is confirmation that I created a wallet password.
Now what happens when we connect MetaMask to staking.synthetix.io?
Of course it tracks the dapps you use. Alright you get the picture. There are a few more requests like this, and it clearly very closely tracks how you use the wallet. But Mr. PortaPotty, who in their right mind enables telemetry? Well, lets look take a look under the hood without telemetry.
The traffic to Sentry still exists and seems the same, but it at least doesn’t track more than your browser’s User-Agent. Much more importantly, there is not a request to Segment in sight! I have confirmed that blocking sentry.io using the method described in my Ledger Live post still allows MetaMask to transact correctly.
/u/Tricky_Troll also asked some great questions, which I will attempt to answer here. Its important to remember that when you install MetaMask in chrome you give it the following permissions:
- Read and change all your data on all websites
- Display notifications
- Modify data you copy and paste
MetaMask has the ability to read all of your cookies, but what it does with that info is what really matters. As shown, I cant find any reason to think that they are misusing it. MetaMask, being an extension, is in a very privileged position security-wise. Any remotely secure browser would not allow website A to read your cookies set by website B.
However, I would love to now go into how google bypasses this to track you.
Note, the following has nothing to do with MetaMask.
See the ‘X-Client-Data‘ header in this request to YouTube? This is a custom HTTP header created by Google, for use across their entire infrastructure. If you read the Doubleclick wiki page, you may recall that they were acquired by Google.
And here we see youtube.com telling chrome to send a request to Doubleclick with that tracking header, as can be verified by checking the ‘Referer‘ header. While using Firefox does not make you immune to google’s tracking, it sure as hell beats serving up all of your data on a silver platter.
Stay safe, folks!
Responses