More and more projects are attempting to link existing web services with the Ethereum network. This may either happen through proprietary in-browser wallets, or by simply using MetaMask to give access to an Ethereum address.
But looking at browser activity, unlocking MetaMask may give away too much information to sites and parties who are listening for it. And while no one can approve a transaction or steal the funds without the private keys, gathering information about crypto owners is still worrying.
The biggest potential problem is malicious sites detecting an unlocked MetaMask and proposing a spoof transaction, which the user then unwittingly approves.
This Twitter thread explains the potential problems with in-browser wallets always switched on:
If you are using an in-browser Ethereum wallet (e.g. Metamask, Brave, Parity) then any website can detect if you are an Ethereum user. I wouldn't be surprised if some advertisers are already collecting this information.
But even without pushing a transaction, advertisers may intercept a public Ethereum address, and link it to an online identity at some point. This in effect de-anonymizes the ETH network.
Knowing a public address allows anyone to use Etherscan and check balances and coin movements. What this information could be used for, it's anyone's guess.
One of the solutions may be in the Brave browser by Basic Attention (BAT), which allows for a connection to the Ethereum network and the BAT token, without necessarily having MetaMask switched on. The other possible protection is to have separate wallets for different purposes, and only hold as much ETH as needed for crypto kitties.
"Regardless of whether the wallet is currently locked, you can use the current network id on web3 to see if the user was last using the testnet or mainnet. If they’re on anything besides mainnet, they are probably a developer and likely have higher than average crypto holdings," wrote John Backus in ablog explaining the threat at length.
Still, with enough work, it is possible to trace the connections between addresses. And while MetaMask itself is very safe, exposing your ETH holdings and user behavior to the world may have repercussions way beyond annoying adds. Hacker attacks on the device are one possibility. But for large-scale crypto owners, exposing their personality may be even riskier in a physical sense.