MetaMask, Phantom Fix “Demonic” Vulnerability in Browser Wallets

Key points to remember
- MetaMask and Phantom fixed a critical vulnerability in their browser extension wallets.
- Codenamed “Demonic”, the vulnerability exposed users’ secret recovery phases by saving them as unencrypted plain text on users’ drives.
- Although wallet providers have patched the threat, some users may still be vulnerable unless they migrate their funds to new wallets using the latest versions of wallet software.
Share this article
Some of the most popular browser extension crypto wallets suffer from a critical vulnerability that makes users’ secret recovery phases vulnerable to theft, a new report has revealed.
Crypto Wallets Fix Critical Vulnerability
Several browser wallet vendors have successfully patched a long-standing vulnerability.
According to a Wednesday report from cybersecurity firm Halborn, some of the most popular cryptocurrency wallets, including MetaMask, Phantom, Brave, and the xDefi browser, suffered from a critical vulnerability in their browser extension software. Under certain conditions, the vulnerability, codenamed “Demonic”, exposed users’ secret recovery phases, allowing would-be attackers to access billions of dollars in cryptocurrencies held in browser extension wallets. global scale.
In the report, Halborn explained that the insecure permissions vulnerability caused the browser extension’s crypto wallets to record the contents of all entries without a password, including so-called mnemonic keys or secret recovery phrases. , as unencrypted plain text on users’ drives as part of the “Restore Session” feature. This put all users who had imported their browser extension crypto wallets using a secret recovery phrase at risk of having their private keys and cryptocurrency funds stolen.
In a blog post on Wednesday, the Solana Phantom Wallet noted that Halborn alerted them to the demonic vulnerability last September and began rolling out patches in January. Phantom confirmed that in April all users were protected against the vulnerability and stated its intention to introduce an even more comprehensive patch next week. MetaMask, on the other hand, said it fixed the vulnerability in versions 10.11.3 and later. However, some users who previously imported older versions of the Browser Wallet using their passphrase may still be at risk, especially those using unencrypted hard drives or potentially compromised computers.
As a precaution, MetaMask recommended users to install the latest version of its browser extension wallet and migrate funds to new wallets. So far, no exploit related to the Demonic vulnerability has been reported.
Disclosure: At the time of writing this article, the author of this article owned ETH and several other cryptocurrencies.