Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on March 22, 2019

PSA: MetaMask reveals your Ethereum address to sites you visit, here’s how to hide it

Please, for the love of Vitalik, make sure you enable this setting


PSA: MetaMask reveals your Ethereum address to sites you visit, here’s how to hide it

There’s a setting that popular Ethereum service MetaMask doesn’t enable by default, and it’s putting users’ privacy at risk.

MetaMask works as a gateway to decentralized apps (dapps) running on Ethereum’s blockchain. It’s a browser extension that seeks to simplify the use of cryptocurrency, which tends to intimidate unfamiliar users. It’s one of the most popular apps of its kind, boasting over a million installs on Chrome.

The company built a new “privacy mode” last year, designed to keep users from unintentionally broadcasting their Ethereum addresses to sites they visit while MetaMask is in use; these signals are known as “message broadcasts.”

Ethereum addresses are unique identifiers

A community member recently raised concerns over MetaMask’s “message broadcasts.” They detailed how (without privacy mode enabled) Ethereum addresses are detectable by “any advertisement, or tracker” while the user browses the web.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

“[…] It sacrifices the privacy of everyone in the system because sites like Amazon, Google, PayPal, and others can link your blockchain transactions to credit card payments, thereby your identity, and the identity of the last person you transacted with – a person who wants to remain anonymous,” he wrote.

Hard Fork recreated the suggested method to see this in action. We installed a fresh version of MetaMask on a machine that had never used it before, and initiated a new Ethereum address.

Remember: “0x60d4421a28 …”

Above is a screenshot of a “burner” address created using the MetaMask service. Note the string of letters and numbers underneath the QR-code.

Shortly after entering some basic code into the JavaScript console of my browser (replicating how third-party trackers would detect message broadcasts), I was gifted small packets of data containing the exact same Ethereum address that I had just “registered” with MetaMask.

In effect, MetaMask’s use of message broadcasts means the Ethereum addresses of its users can be relayed to ads and trackers, such as “Google+ like buttons, Facebook like buttons, Twitter retweeters, etc.”

This was pretty spooky …

Yeah, this is a problem, but fixing it could cause more

Sharing Ethereum addresses with any tracking service that requests it is certainly a little unsettling, but there are wider implications. Think of your Ethereum address as a unique identifier, you want to keep it separate from the rest of your online footprint at all times.

This is especially concerning when you consider that your address might be getting linked to your activity on some of the more fringe Ethereum dapps out there – like Spankchain. It seems an easy fix, but devs are still figuring out how to do it “safely.”

MetaMask has confirmed it’s aware of this issue. According to lead developer Dan Finlay, enabling privacy mode could damage older dapps still relying on making Ethereum address requests in this way.

TURN ON THIS SETTING

“You’re right, we haven’t enabled this by default yet, because it would break previous dapp behavior, and we realized if we add the manual ability for users to ‘log in’ to legacy applications, we can add this privacy feature without breaking older sites,” he wrote in response. “PostMessage does expose the messages to all elements within a signed-in iFrame, and that could be more private.”

Finlay said MetaMask devs “need” to enable privacy mode by default, but there is no clear timeline for when the fix will be rolled out. For context, MetaMask had previously said it hoped to have the issue resolved by last November.

“We’ll be enabling privacy mode by default soon(er), the criticism that we’ve been slow on that is valid and we take it seriously,” he added, before commenting that backwards compatibility would also be an option for users who want to enable message broadcasts, for whatever reason.

So, if you have MetaMask installed, it’s best you double check if privacy mode is switched on. Follow these steps:

  • Click on the MetaMask fox head in the top-right corner of your browser.
  • Then, the little cartoon globe in the top-right corner of the window that pops up.
  • Hit “Settings.”
  • Scroll down until you see “Privacy Mode.” Make sure this is enabled (the slider is toggled to the right.)

You can now browse the internet without revealing your Ethereum stash to every site you visit. Thank me later.

Did you know? Hard Fork has its own stage at TNW2019, our tech conference in Amsterdam. Check it out.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with