Tl;dr: As part of our security research, we look into different methods for connecting to dapps. We found browser extension based crypto-wallets disclose specific data to websites without consent from their users. AND it’s not just theoretical as sites actually abuse this to collect user information!
Connecting to Web3 apps
Web3 allows users to perform complex operations by sending on-chain transactions to Smart Contracts through dapps. For example, users can send a transaction to exchange a certain asset for another with some requirements (e.g. rate has not deviated). But how would the user know how to code this complex message, which is not standard, and changes between different dapps?
To solve this, dapps have a web2 interface that sends properly-formatted transactions to the wallet, such that the wallet’s owner can read and send them. This connection between the wallet and the Dapp’s interface is currently implemented mostly via a browser extension or WalletConnect for mobile wallets.
With WalletConnect, users scan a QR code with their wallet to create the channel between the wallet and the dapp. The dapp sends some information about itself (e.g., name, icon) and then messages to be signed. Learn more about this process here.
While WalletConnect is “opt-in,” i.e., users must actively interact with the app by pushing a button or scanning a QR code, browser extensions can be “popped up” by websites. What are the privacy implications of this?
What browser extensions may reveal to all websites
Any website, even if it’s not a web3 dapp, can check for the existence of the extension without any approval by the users. As a result, these websites learn that the user has a crypto wallet and likely access to cryptocurrency.
Some additional information can include the specific chain a user is connected to and whether the wallet is currently locked with a password or not (an unlocked wallet may indicate a recent use of the wallet).
Luckily, to learn more intimate information such as the wallet address, explicit user consent is required.
Test it for yourself! ⬇️
To illustrate the issue we created a publicly available demo website that reflects this information to the user without collecting it. Feel free to try it out with a MetaMask or similar extension.
Results of the demo website with an unlocked MetaMask connected to Ethereum testnet
It’s important to note that the core issue is not new and was reported five years ago, not necessarily with the same set of private data getting disclosed. However, given the rise in new Web3 users since it was first published, it is safe to assume that many browser extension based wallet users are not aware of these privacy issues.
Why does privacy matter?
Generally, it’s better to tell as little as possible about yourself to the Internet and especially about being a cryptocurrency user. Some examples of how this kind of knowledge of user affiliation with cryptocurrency can be abused:
In some countries, cryptocurrency use is not allowed. By abusing this privacy issue Governments might be able to identify such crypto outlaws. Hackers can use this information to target users with cryptocurrency in order to steal their funds.
Marketers can use that information to track users and target them in a more efficient way.
Abusing extension privacy issues in the wild
Using source code search engines (such as https://publicwww.com/ and https://www.nerdydata.com/ ) we were able to find patterns of such abusive code embedded in popular websites, some of them in the top 1000 sites.
We found the websites, which are not using web3 (at least not in the page where this information is collected), are still enriching Google Analytics data about a user with the existence of MetaMask, Coinbase or Phantom extensions.
Website code checks for the existence of MetaMask, Coinbase or Phantom extensions
Since the search was not intensive, we believe this is only the tip of the iceberg, and more malicious sites would embed this abusive code using stealthier methods.
Recommendations:
- Web3 users that are highly concerned about their privacy should consider switching to a mobile based wallet. Mobile wallets, such as ZenGo, mostly use WalletConnect to interface with web3 apps and require users permission to do so. As a result it prevents general websites from snooping.
- For users that want to keep using their browser extensions while maintaining their privacy, it’s advised to disable the extensions while not actively working with them. In chrome it can be done at chrome://extensions/ and toggling the state of the relevant extension.
- For extension developers we recommend limiting the information shared with websites without users’ explicit consent to the bare minimum.
