In-Browser Wallets: Are They Giving Away Too Much?

As cryptocurrencies become more valuable, listening for in-browser wallets unlocking may give away too much.

More and more projects are attempting to link existing web services with the Ethereum network. This may either happen through proprietary in-browser wallets, or by simply using MetaMask to give access to an Ethereum address.

RAI Blocks Resolves Online Wallet Threat

But looking at browser activity, unlocking MetaMask may give away too much information to sites and parties who are listening for it. And while no one can approve a transaction or steal the funds without the private keys, gathering information about crypto owners is still worrying.

The biggest potential problem is malicious sites detecting an unlocked MetaMask and proposing a spoof transaction, which the user then unwittingly approves.

This Twitter thread explains the potential problems with in-browser wallets always switched on:

But even without pushing a transaction, advertisers may intercept a public Ethereum address, and link it to an online identity at some point. This in effect de-anonymizes the ETH network.

Knowing a public address allows anyone to use Etherscan and check balances and coin movements. What this information could be used for, it's anyone's guess.

One of the solutions may be in the Brave browser by Basic Attention (BAT), which allows for a connection to the Ethereum network and the BAT token, without necessarily having MetaMask switched on. The other possible protection is to have separate wallets for different purposes, and only hold as much ETH as needed for crypto kitties.

"Regardless of whether the wallet is currently locked, you can use the current network id on web3 to see if the user was last using the testnet or mainnet. If they’re on anything besides mainnet, they are probably a developer and likely have higher than average crypto holdings," wrote John Backus in a blog explaining the threat at length.

Still, with enough work, it is possible to trace the connections between addresses. And while MetaMask itself is very safe, exposing your ETH holdings and user behavior to the world may have repercussions way beyond annoying adds. Hacker attacks on the device are one possibility. But for large-scale crypto owners, exposing their personality may be even riskier in a physical sense.