Introduction

The Demonic Vulnerability (CVE-2022-32969) was discovered by Halborn and we have worked with MetaMask, Phantom, Brave, xDefi, and others to help the community remediate the issue. This announcement on June 15, 2022 follows a good faith effort to contact all affected teams and assist in mitigation.
For a high level overview refer to our blog post.

Description and Overview

CVE-2022-32969: Insecure permissions vulnerability in MetaMask and other browser extension cryptocurrency wallets allows an attacker to access a user’s secret recovery phrase on disk via remote or physical access.

Both Firefox and Chromium based browsers save the contents of all non-password input fields to disk unencrypted as part of the “Restore Session” feature. Browser extension cryptocurrency wallets that use an input field for a BIP39 mnemonic can cause the secret recovery phrase to be stored on disk in plain text where an attacker can retrieve it and gain access to the wallet.

Additionally, an attacker with equal or greater permissions than the user may be able to retrieve the mnemonic phrase directly from memory.

For Browser-Wallet Users

User Guidance

The risk is present if the following conditions were met:

  • The Secret Recovery Phrase was imported into a browser extension wallet using a device that is no longer in the user’s possession or is logically compromised
  • The hard drive is unencrypted
  • The user used the “Show Secret Recovery Phrase” checkbox to view the seed phrase on-screen during import

When these conditions are met, the mnemonic key will be accessible:

  • Without the user unlocking their wallet
  • After a system restart
  • After uninstalling the crypto wallet browser extension
  • After deleting and reinstalling the browser

User Mitigation

Users who believe they may be affected should migrate to a new set of accounts using the instructions provided by MetaMask here. Rotating keys as a routine security measure and the use of a hardware wallet in conjunction with the browser based wallet can also provide increased security for users’ assets.

Wallet User FAQ

Q: What versions of MetaMask are vulnerable?

A: Users who entered their seed phrase in Metamask 10.11.2 and earlier may be at risk.

Q: How do I know if my secret recovery phrase is secure?

A: The best way to know for sure is to generate a new secret recovery phrase and migrate your wallet using the guidance provided by MetaMask. If disk encryption is in use then the seed phrase on-disk vulnerability is already mitigated.

Q: If I’m using a cold/hardware wallet am I affected?

A: No, we recommend always using a cold wallet or hardware wallet as outlined in our post from November 2021

Note: It is still imperative to be diligent about the transactions you approve to avoid scams like malicious airdrops and rug-pulls

Q: What if the device holding my browser wallet was stolen?

A: If the device was encrypted the secret recovery phrase should still be secure, however we recommend following the migration guidance provided above to assure the highest degree of protection.

For Browser Wallet Providers

Reproduction Steps:

  • Generate a unique secret recovery phrase
  • Import the secret recovery phrase
  • Wait at least 30 seconds to ensure the browser has time to record the session to disk
  • Close the browser

The secret recovery phrase can then be found in the browser session data

Mitigation Suggestions:

The following are suggested mitigation measures that can be taken by wallet providers to avoid secret recovery phrases being stored in plain text both on-disk, and in system memory

  • Split the Mnemonic Phrase input field into several fields (one per word) and ensure that only one is revealed at a time
  • Instead of having the user enter their whole Phrase, use word selection for Mnemonic Phrase confirmation on wallet creation
  • To speed up the garbage collector’s removal of the phrase from memory, clear or dereference values of variables which store Mnemonic Phrases in your code
  • Avoid displaying the Mnemonic Phrase raw in the browser.
    • A way to do this is to display the Mnemonic in an HTML5 canvas, so that the browser does not load the whole Phrase in memory.
    • Another way is to obfuscate the Mnemonic Phrase as you display it. Each Mnemonic word could be displayed in a span HTML tag. In-between these spans there should be additional “fake” spans with “fake” random words. Each of the “fake” spans should have the following CSS properties: .fake{ position: absolute; left: 0px; top: 0px; z-index: -1; opacity: 0; } . This forces the browser to only display “genuine” Mnemonic words, while loading both the “genuine” and “fake” words into memory – thus obfuscating the Mnemonic Phrase.
  • Prevent (and warn) users from directly copying/pasting the Mnemonic Phrase into the browser. The browser’s clipboard is also responsible for leaking data into memory. Therefore, it is important to warn the user not to fill the browser’s clipboard with the Mnemonic Phrase, and to prevent them from doing so using the following method:
    • Use the e.preventDefault() method on the onPaste event handler.
    • It is also important to warn the user to manually enter their Mnemonic Phrase word-by-word. Even by using the e.preventDefault() method, the user is still able to copy/paste their Mnemonic. The only difference when using the aforementioned method is that it will live in memory for a shorter period of time. It is better not to introduce it into memory at all.
    • During recovery of a wallet by entering the Mnemonic Phrase, it is suggested, instead of a text area, to provide to the users one password input for each mnemonic word. 

Have concerns, want to learn more, or have a bug you’d like to disclose? Please reach out to us at disclosures@halborn.com.Halborn is hiring! If you’re someone who can help make our products and this industry more secure, consider joining our team.