MetaMask works as a gateway to decentralized apps (dapps) running on Ethereum’s blockchain. It’s a browser extension that seeks to simplify the use of cryptocurrency, which tends to intimidate unfamiliar users. It’s one of the most popular apps of its kind, boasting over a million installs on Chrome.
The company built a new “privacy mode” last year, designed to keep users from unintentionally broadcasting their Ethereum addresses to sites they visit while MetaMask is in use; these signals are known as “message broadcasts.”
Ethereum addresses are unique identifiers
A community member recently raised concerns over MetaMask’s “message broadcasts.” They detailed how (without privacy mode enabled) Ethereum addresses are detectable by “any advertisement, or tracker” while the user browses the web.
“[…] It sacrifices the privacy of everyone in the system because sites like Amazon, Google, PayPal, and others can link your blockchain transactions to credit card payments, thereby your identity, and the identity of the last person you transacted with – a person who wants to remain anonymous,” he wrote.
Hard Fork recreated the suggested method to see this in action. We installed a fresh version of MetaMask on a machine that had never used it before, and initiated a new Ethereum address.
Above is a screenshot of a “burner” address created using the MetaMask service. Note the string of letters and numbers underneath the QR-code.
In effect, MetaMask’s use of message broadcasts means the Ethereum addresses of its users can be relayed to ads and trackers, such as “Google+ like buttons, Facebook like buttons, Twitter retweeters, etc.”
Yeah, this is a problem, but fixing it could cause more
Sharing Ethereum addresses with any tracking service that requests it is certainly a little unsettling, but there are wider implications. Think of your Ethereum address as a unique identifier, you want to keep it separate from the rest of your online footprint at all times.
This is especially concerning when you consider that your address might be getting linked to your activity on some of the more fringe Ethereum dapps out there – like Spankchain. It seems an easy fix, but devs are still figuring out how to do it “safely.”
MetaMask has confirmed it’s aware of this issue. According to lead developer Dan Finlay, enabling privacy mode could damage older dapps still relying on making Ethereum address requests in this way.
“You’re right, we haven’t enabled this by default yet, because it would break previous dapp behavior, and we realized if we add the manual ability for users to ‘log in’ to legacy applications, we can add this privacy feature without breaking older sites,” he wrote in response. “PostMessage does expose the messages to all elements within a signed-in iFrame, and that could be more private.”
Finlay said MetaMask devs “need” to enable privacy mode by default, but there is no clear timeline for when the fix will be rolled out. For context, MetaMask had previously said it hoped to have the issue resolved by last November.
“We’ll be enabling privacy mode by default soon(er), the criticism that we’ve been slow on that is valid and we take it seriously,” he added, before commenting that backwards compatibility would also be an option for users who want to enable message broadcasts, for whatever reason.
So, if you have MetaMask installed, it’s best you double check if privacy mode is switched on. Follow these steps:
- Click on the MetaMask fox head in the top-right corner of your browser.
- Then, the little cartoon globe in the top-right corner of the window that pops up.
- Hit “Settings.”
- Scroll down until you see “Privacy Mode.” Make sure this is enabled (the slider is toggled to the right.)
You can now browse the internet without revealing your Ethereum stash to every site you visit. Thank me later.
Published March 22, 2019 — 16:07 UTC