Metamask, the leading Ethereum browser extension allegedly broadcasts ETH addresses to all websites a user visits in its default settings, as per the statement of a GitHub issue submitted on March 20.
It is to be noted that Metamask is a browser extension featured in the Brave browser that enables its users to work together with Ethereum-based DApps. Metamask is compatible with Google Chrome, Mozilla Firefox, and Opera. As per the aforementioned GitHub issue, Metamask broadcasts its users’ ETH address to all the websites visited in its default settings. The post further specified that the ETH addresses are shown in data objects contained in message broadcasts as opposed to window objects.
As per the issue report, this can lead to the identification of users and precludes Metamask use by privacy sensitive DApps. More specifically, the user cites the recently hacked porn DApp Spankchain and health DApps as examples.
Above and beyond, not only the administrators of the visited websites have admission to users’ Metamask addresses, but also so-called trackers such as Twitter retweet buttons, Facebook share or like buttons, and analogous systems that can fingerprint the browser. In addition, the user noted on GitHub that he expects that these message broadcasts will considerably decline the value of ETH over the long-term.
Developer Dan Miller argued that enabling private mode solves the problem, in his answer to the GitHub issue. To this, the user who formed the report responds that it does not solve the problem. Daniel Finlay, a ConsenSys software developer, admitted that they agree that there is a requirement to allow privacy mode by default and that the extension’s privacy could be enhanced upon.
Last of all, Finlay also answered to the user’s claims that the purportedly deficient privacy features of the software are malicious in character:
“We definitely reject all your claims that this is some weird malicious act on our part. That would be the craziest move we could ever make on a totally open source crypto project.”
As per crypto media reports in November last year, Metamask showcased a mobile version of its software in the past. However, it hasn’t been released yet. On the other hand, a malware impersonating the tool appeared on Google Play and was afterward removed from the store in February.