Metamask Privacy Issues come to Light on Github

A recent Github issue shows that Metamask broadcasts ETH addresses of its users to websites by default, raising concerns about privacy.

Last Wednesday, a user in Github by the name of projectoblio found that Metamask’s default configuration may expose its users to situations where their personally-identifiable information may be tied to their Ethereum wallet addresses.

“At the most basic level the fact that you have an ETH address which is broadcasted to every single site and tracker can be used to increase the prices you see on sites like Amazon, Google, and others… Even transferring ETH between accounts still links back to your last known identity and can be used to change your rates on employment opportunities, health insurance, loan risk factors, etc. based on your proclivities or health metrics,” the user wrote, explaining the risks that this involves.

This isn’t the first time that such concerns were raised, as Metamask previously responded to community discussions on this subject by enabling “Privacy Mode” by default as of November 6th last year.

However, as projectoblio explains, this is not enough. Although privacy mode removes some of the information exchange that Metamask has with websites, it doesn’t remove specific message broadcasts that could be used to extrapolate data from visitors.

Typing a specific code in the console, which could theoretically be triggered by a website, broadcasts a data object message that contains the ETH address of the individual. This message appears every 40 seconds or so.

“There are plenty of other ways to interact with a Chrome extension aside from communicating unique identifiers to these other companies, and they do not have anything to do with injected web3,” projectoblio added.

Metamask responds to the allegations

About a day later, Dan Finlay—lead developer at Metamask—replied to the Github issue, adding that there’s no other way to properly make the platform work without somehow communicating information to websites that ask for it.

“In order to provide an API to websites, we have to communicate via a per-page content script… We need to enable privacy mode by default, and have been slow to do that. We’ll be doing this soon, but are making sure to do it in a non-site-breaking way… We definitely reject all your claims that this is some weird malicious act on our part. That would be the craziest move we could ever make on a totally open source crypto project,” Finlay said.

The dilemma here is that in order for an application to have the ability to communicate information to any website that asks for it, users ultimately have to accept that a small part of their privacy has the potential to be exposed.

Reading now