MetaMask, Phantom Fix “Demonic” Vulnerability in Browser Wallets
A critical vulnerability in some of the most popular browser extension crypto wallets allowed attackers to access users’ secret recovery phrases via remote or physical access.
- MetaMask and Phantom have patched a critical vulnerability in their browser extension wallets.
- Code-named "Demonic," the vulnerability exposed users' secret recovery phases by recording them as unencrypted plain text on users' drives.
- While wallet providers have fixed the threat, some users may still be vulnerable unless they migrate their funds to new wallets using the latest wallet software versions.
Share this article
Some of the most popular browser extension crypto wallets have been suffering from a critical vulnerability that left users’ secret recovery phases vulnerable to theft, a new report has revealed.
Crypto Wallets Patch Critical Vulnerability
Several browser wallet providers have successfully patched a long-standing vulnerability.
According to a Wednesday report from the cybersecurity firm Halborn, some of the most popular cryptocurrency wallets, including MetaMask, Phantom, Brave, and xDefi browser, had been suffering from a critical vulnerability in their browser extension software. Under certain conditions, the vulnerability, code-named “Demonic,” exposed users’ secret recovery phases, giving potential attackers access to billions of dollars in cryptocurrencies held in browser extension wallets globally.
In the report, Halborn explained that the insecure permissions vulnerability had the browser extension crypto wallets saving the contents of all non-password inputs, including the so-called mnemonic keys or secret recovery phrases, as unencrypted plain text on users’ drives as part of the “Restore Session” feature. It put all users who had imported their browser extension crypto wallets using a secret recovery phrase at risk of having their private keys and cryptocurrency funds stolen.
In a Wednesday blog post, the Solana wallet Phantom noted that Halborn had alerted them of the Demonic vulnerability last September and that they had began rolling out fixes in January. Phantom confirmed that by April, all users were protected from the vulnerability, and stated its intent to introduce an even more exhaustive patch next week. MetaMask, on the other hand, said it had patched the vulnerability in versions 10.11.3 and later. However, some users that had previously imported older versions of the browser wallet using their secret recovery phrase may still be at risk, especially those that used unencrypted hard drives or potentially compromised computers.
As a precautionary measure, MetaMask recommended that users install the newest version of its browser extension wallet and migrate funds to new wallets. So far, no exploits connected with the Demonic vulnerability have been reported.
Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.