MetaMask announced on Wednesday that it had discovered a serious security flaw in earlier versions of its cryptocurrency wallet. A $50,000 reward was given to the security company for the find.
Three prerequisites would have resulted in the potential vulnerability for MetaMask extension users prior to version 10.11.3. There are three of them:
- an unencrypted hard drive;
- importing a secret recovery phrase into a MetaMask extension on a compromised, stolen, or compromised device;
- using the “Show Secret Recovery Phrase” checkbox to view one’s secret recovery phrase on-screen throughout the import process.
A set of very specific circumstances would have led to an exploit on older versions of MetaMask. https://t.co/r7DUzDSc71
— Cointelegraph (@Cointelegraph) June 15, 2022
The vulnerability reportedly covers all MetaMask wallet browser versions from before the 10.11.3 upgrade. The mobile versions are not affected.
Affected customers are being advised by MetaMask to move their money out of their compromised wallets.