MetaMask Has Been Broadcasting Users’ Ethereum Addresses to Visited Websites by Default

Fibo Quantum

/latest/2019/03/metamask-has-been-broadcasting-users-ethereum-addresses-to-visited-websites-by-default/

MetaMask Has Been Broadcasting Users’ Ethereum Addresses to Visited Websites by Default

metamask-has-been-broadcasting-users-ethereum-addresses-to-visited-websites-by-default

Popular Ethereum wallet MetaMask has been broadcasting users’ Ethereum wallets to the websites they visit, allowing third-parties to see their ETH addresses and potentially link them to their browsing activity.

According to a recently raised GitHub issue, MetaMask has a built-in “privacy mode” that could stop this from happening, but that needs to be manually activated by the user. If it isn’t enabled, it sends websites what are known as “message broadcasts.”

These have raised concerns, as “any advertisement, or tracker” can detect MetaMask users’ Ethereum addresses through them and potentially link the address to users’ browsing activity – compromising anonymity.

The user who created the GitHub issue wrote:

It sacrifices the privacy of everyone in the system because sites like Amazon, Google, PayPal, and others can link your blockchain transactions to credit card payments, thereby your identity, and the identity of the last person you transacted with – a person who wants to remain anonymous.

MetaMask is a popular browser extension that gives users access to decentralized applications (dApps) on the web. It has been installed over a million times on Google Chrome, and is available for Brave, Mozilla Firefox, and Opera.

The Next Web reportedly tested the wallet’s default settings, and managed to confirm third-party trackers may be able to detect these message broadcasts, which can be relayed to ads and trackers “such as Google+ like buttons, Facebook like buttons, Twitter retweeters, etc.”

Lead developer Dan Finlay, responding to the concerned user, revealed enabling privacy mode by default could damage dApps that rely on Ethereum address requests made without it. Finlay explained:

You’re right, we haven’t enabled this by default yet, because it would break previous dapp behavior, and we realized if we add the manual ability for users to ‘log in’ to legacy applications, we can add this privacy feature without breaking older sites.

He noted that while developers need to enable privacy mode by default, it isn’t clear when that will happen. To enable it themselves, users have to go into MetaMask’s settings to toggle the “Privacy Mode” slider.

As CryptoGlobe covered, the popular Ethereum wallet interface has announced late last year a mobile app for it. MetaMask has notably been protecting its users in other ways, as the app blocked a popular dApp called 333ETH, which is widely believed to be a Ponzi scheme.