MetaMask browser extension wallet demonic vulnerability analysis

Background overview

On June 16, 2022, MetaMask (MM) officially announced a security issue called demon vulnerability discovered by white hats. The version affected by the vulnerability is < 10.11.3. Due to the large number of MM users, and There are also many wallets developed based on MM, so the impact of this vulnerability is quite large, so MM also generously paid a white hat bounty of 50,000 dollars. After the team synced the vulnerability with me, I started to analyze and reproduce the vulnerability.

Vulnerability Analysis

The white hat named this vulnerability as demonic vulnerability. The specific vulnerability description is more complicated. In order to let everyone better understand this problem, I will try to explain this problem with simple expressions. When using the MM browser extension wallet to import the mnemonic, if you click the "Show Secret Recovery Phrase" button, the browser will cache the plaintext of the entered complete mnemonic in the local disk, which uses the mechanism of the browser itself, namely The browser will save the Text text in the Tabs page from the memory to the local, so that the state of the page can be saved in time when the browser is used, and the previous page state can be restored when the page is opened next time.

Based on my understanding of this vulnerability, I started to reproduce the vulnerability. Since MM only briefly described the vulnerability and did not disclose the details of the vulnerability, I encountered the following problems when reproducing:

1. The file path where the cache is recorded to disk is unknown

2. When the cache is logged to disk is unknown

In order to solve problem 1, I started to analyze and test the cache directory structure of the browser, and found that when using the browser (chrome), the relevant Tabs cache is recorded in the following directory:

Tabs cache path:

/Users/$(whoami)/Library/Application Support/Google/Chrome/Default/Sessions/


Then continue to solve problem 2: The Sessions directory will record the cache of Tabs. In order to find out the time node when the cache is recorded, I decomposed the entire process of importing mnemonic phrases, and then observe the data changes of Sessions after each operation. It is found that after entering the mnemonic data on the following page, you need to wait for 10-20s, then close the browser, and the plaintext mnemonic information will be recorded in the Sessions cache data.


Here is the reproduced video:


Analysis conclusion

When users use MM normally, they put the data related to mnemonics into memory for storage, which is generally considered to be relatively safe (in the earlier Hacking Time of SlowMist, I found that when users use MM normally, it is The plaintext mnemonic can be extracted through the hook technology, which can only be used when the user's computer is controlled by a malicious program), but due to the demonic vulnerability, the mnemonic will be cached to the local disk, so there will be The following new utilization scenarios:

1. The plaintext mnemonic data is cached on the local disk and can be read by other applications. It is difficult to ensure that other applications do not read the Sessions cache file on the PC.

2. The plaintext mnemonic data is cached on the local disk. If the disk is not encrypted, the mnemonic can be recovered through physical contact. For example, in scenarios such as computer maintenance, when others physically touch the computer, the mnemonic data can be read from the hard disk.

About Us

DPTech is co-founded by several senior European and American security experts, and a core security R&D team with international first-line talents is committed to improving the overall security, privacy and usability of the blockchain ecosystem. By publishing industry trend reports and real-time monitoring of ecological security risks, it provides customers with visual solutions that meet international advanced security technology standards, and strengthens network security monitoring, early warning and defense capabilities. After years of accumulation of blockchain experience, DPTech has been recognized by dozens of well-known exchanges around the world.