- Assurance
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  AI Red Teaming
  Testing AI systems against real threats
  AI Red Teaming
  Testing AI systems against real threats
  AI Security Assessment
  Securing AI models, data, and pipelines
  AI Security Assessment
  Securing AI models, data, and pipelines
- Advisory
  AI Advisory
  Guiding secure, strategic AI adoption forward
  AI Advisory
  Guiding secure, strategic AI adoption forward
  Risk Assessment
  From unknown threats to actionable insights
  Risk Assessment
  From unknown threats to actionable insights
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Compliance Readiness
  Stay ready as regulations evolve
  Compliance Readiness
  Stay ready as regulations evolve
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Technical Due Diligence
  See the risks before you invest
  Technical Due Diligence
  See the risks before you invest
  Technical Training
  Empower your teams to secure what matters
  Technical Training
  Empower your teams to secure what matters

// resources ⟶ disclosures

Halborn MetaMask “Demonic” Vulnerability Discovery

Introduction

The Demonic Vulnerability (CVE-2022-32969) was discovered by Halborn and we have worked with MetaMask, Phantom, Brave, xDefi, and others to help the community remediate the issue. This announcement on June 15, 2022 follows a good faith effort to contact all affected teams and assist in mitigation.
For a high level overview refer to our blog post.

Description and Overview

CVE-2022-32969: Insecure permissions vulnerability in MetaMask and other browser extension cryptocurrency wallets allows an attacker to access a user’s secret recovery phrase on disk via remote or physical access.

Both Firefox and Chromium based browsers save the contents of all non-password input fields to disk unencrypted as part of the “Restore Session” feature. Browser extension cryptocurrency wallets that use an input field for a BIP39 mnemonic can cause the secret recovery phrase to be stored on disk in plain text where an attacker can retrieve it and gain access to the wallet.

Additionally, an attacker with equal or greater permissions than the user may be able to retrieve the mnemonic phrase directly from memory.

For Browser-Wallet Users

User Guidance

The risk is present if the following conditions were met:

The Secret Recovery Phrase was imported into a browser extension wallet using a device that is no longer in the user’s possession or is logically compromised
The hard drive is unencrypted
The user used the “Show Secret Recovery Phrase” checkbox to view the seed phrase on-screen during import

When these conditions are met, the mnemonic key will be accessible:

Without the user unlocking their wallet
After a system restart
After uninstalling the crypto wallet browser extension
After deleting and reinstalling the browser

User Mitigation

Users who believe they may be affected should migrate to a new set of accounts using the instructions provided by MetaMask here. Rotating keys as a routine security measure and the use of a hardware wallet in conjunction with the browser based wallet can also provide increased security for users’ assets.

Wallet User FAQ

Q: What versions of MetaMask are vulnerable?

A: Users who entered their seed phrase in Metamask 10.11.2 and earlier may be at risk.

Q: How do I know if my secret recovery phrase is secure?

A: The best way to know for sure is to generate a new secret recovery phrase and migrate your wallet using the guidance provided by MetaMask. If disk encryption is in use then the seed phrase on-disk vulnerability is already mitigated.

Q: If I’m using a cold/hardware wallet am I affected?

A: No, we recommend always using a cold wallet or hardware wallet as outlined in our post from November 2021.

Note: It is still imperative to be diligent about the transactions you approve to avoid scams like malicious airdrops and rug-pulls

Q: What if the device holding my browser wallet was stolen?

A: If the device was encrypted the secret recovery phrase should still be secure, however we recommend following the migration guidance provided above to assure the highest degree of protection.

For Browser Wallet Providers

Reproduction Steps:

Generate a unique secret recovery phrase
Import the secret recovery phrase
Wait at least 30 seconds to ensure the browser has time to record the session to disk
Close the browser

The secret recovery phrase can then be found in the browser session data

Mitigation Suggestions:

The following are suggested mitigation measures that can be taken by wallet providers to avoid secret recovery phrases being stored in plain text both on-disk, and in system memory

Split the Mnemonic Phrase input field into several fields (one per word) and ensure that only one is revealed at a time
Instead of having the user enter their whole Phrase, use word selection for Mnemonic Phrase confirmation on wallet creation
To speed up the garbage collector’s removal of the phrase from memory, clear or dereference values of variables which store Mnemonic Phrases in your code
Avoid displaying the Mnemonic Phrase raw in the browser.
- A way to do this is to display the Mnemonic in an HTML5 canvas, so that the browser does not load the whole Phrase in memory.
- Another way is to obfuscate the Mnemonic Phrase as you display it. Each Mnemonic word could be displayed in a span HTML tag. In-between these spans there should be additional “fake” spans with “fake” random words. Each of the “fake” spans should have the following CSS properties: .fake{ position: absolute; left: 0px; top: 0px; z-index: -1; opacity: 0; } . This forces the browser to only display “genuine” Mnemonic words, while loading both the “genuine” and “fake” words into memory – thus obfuscating the Mnemonic Phrase.
Prevent (and warn) users from directly copying/pasting the Mnemonic Phrase into the browser. The browser’s clipboard is also responsible for leaking data into memory. Therefore, it is important to warn the user not to fill the browser’s clipboard with the Mnemonic Phrase, and to prevent them from doing so using the following method:
- Use the e.preventDefault() method on the onPaste event handler.
- It is also important to warn the user to manually enter their Mnemonic Phrase word-by-word. Even by using the e.preventDefault() method, the user is still able to copy/paste their Mnemonic. The only difference when using the aforementioned method is that it will live in memory for a shorter period of time. It is better not to introduce it into memory at all.
- During recovery of a wallet by entering the Mnemonic Phrase, it is suggested, instead of a text area, to provide to the users one password input for each mnemonic word.