Ethereum Wallet MetaMask, Solana's Phantom Patch 'Demonic' Security Bug

Solana walletwallet Phantom announced Wednesday that it’s rolling out a new update next week to further strengthen its security after it patched a “demonic vulnerability” discovered by blockchainblockchain cybersecurity firm Halborn in May of last year.

The vulnerability affected MetaMask, Phantom, Brave, and XDefi browser extension wallets. When any of these wallets were imported using a seed phrase, secret recovery phrases “may have been stored on-disk unencrypted.”

This means that anyone using a borrowed computer or any unencrypted computer may be at risk of losing the assets in their wallet if an attacker is able to access their hard drive.

EthereumEthereum wallet MetaMask quietly patched this vulnerability back in March with version 10.11.3, which modifies the recovery phrase input process into “one-field-per-word.”

In a blog post Wednesday, MetaMask said mobile app users are not affected by the exploit.

Phantom said it learned about the vulnerability in September 2021. It began making fixes in January 2022, but fully patched the vulnerability in April of this year. 

Phantom added that it would be rolling out another substantial security patch next week.

Halborn reported Wednesday that Brave and XDefi have also since patched the vulnerability.

MetaMask said it awarded Halborn with $50,000 for discovering the security exploit, and reassured users that the exploit only affects “a small segment of users.” 

It also said that anyone with a fully-encrypted hard drive would be immune to the vulnerability.

“Users who use full disk encryption are totally immune to the approach reported, and we recommend it for all users just to be extra safe,” MetaMask wrote on Twitter.

Ethereum Wallet MetaMask Passes 30M Users, Plans DAO and Token

Crypto software giant ConsenSys announced on Tuesday that its popular wallet MetaMask, which people use to store Ethereum and other cryptocurrencies with Web3 applications, now has over 30 million monthly active users. That figure reflects a 42% increase in the last four months, when MetaMask reported 21 million users, and comes as it is positioning itself to be a key player in the emerging Web3 economy. "A global user base relies on MetaMask to mint and collect NFTs, join DAOs, and participate...

Since the exploit was discovered, Phantom shared that it has hired the Halborn employee who discovered the vulnerability, Oussama Amri, as a security engineer.

“Substantial parts of our codebase have changed,” Phantom said, adding that it would make parts of its code open source in the near future.

MetaMask advised anyone who might have been using an older version of its browser extension with an unencrypted hard drive—who imported their secret recovery phrase on a potentially compromised device and selected the “Show Secret Recovery Phrase” checkbox—should consider migrating to a new wallet.