Metamask may not be as secure as many believe it to be
While Dan Finlay of Metamask has offered more clarification, the case remains that Metamask may not be as secure as many believe it to be.
Edward Snowdown originally tweeted that MetaMask is giving away your wallet and IP address to a privacy-hostile third party (Infura) before you even have a chance to opt out. In a just society, this would be a crime. https://twitter.com/Snowden/status/1596221959893053440
Dan Finlay in turn responded...
Hi Mr. Snowden. Please understand Infura is part of the same company, and the terms update is just hyper-specific per GDPR because of how the cloud infra works. Doing our best to minimize data storage, but being transparent about how it works today.
@Snowden: Thanks for clarifying the subsidiaries, but the ownership flowchart isn't the core issue. What everyone wants to know is: Does Infura, Consensys, or anybody else getting data flows from Metamask now, or have they ever, retained users' wallet addresses?
@danfinlay: Yes, some accounts have been cached. We have been engaging in a data retention audit (as a result of our new data privacy officer, provoking this update), and we were looking at what we can reduce. We felt obligated to disclose this as specifically as possible per gdpr.
Our goal is to have as little data possible. Our current guess is we have less than many wallets, but it's still there which is why we disclosed it to make it clear to our users, including how they could try to better protect their privacy. Use a VPN. Use Tor.
https://twitter.com/danfinlay/status/1596245824140255232
This discourse was originally triggered by a concerning post on MetaMask privacy and security by @mysticryuujin...
So MetaMask says "Just don't use Infura" - so let's see how easy MetaMask makes it to "not use Infura".
Part 1 - Installation:
The first two screens are straight forward here. They seem to provide a clear privacy policy, that's good.
Let me open the extension manifest...Oh boy it's already sending "stuff" to Infura. I wasn't able to opt out of using Inufra yet. But there's no accounts yet, so, maybe it's not a big deal, it's just some blockNumber requests, some price feed?
It looks like they send an eth_call to 0xb1f8e55c7f64d203c1400b9d8555d050f94adf39 which is a "BalanceChecker" contract...
So let's setup a new account and see what happens.
Oh boy, the second I hit "create" they sent my new wallet address to Inufra. I had absolutely no way to change providers before now.
Part 2 - Adding a new Ethereum Mainnet Provider and UI/UX:
I'm in my new wallet now and the first thing I'm greeted with is this nice pretty green dot that says "Ethereum Mainnet" it's nice. I like it. But it's Infura... let's try to change that.
Woo that's pretty, look at that Ethereum icon!
Hold up. Wait a minute. Why is there a LOCK on it? I'm already discouraged :( can I edit the New RPC URL? Nope. I cannot :(
Ok ok, so we click "Add a network"
Oh wow, this is a new screen, even for me. It's very nice! Actually good job here MetaMask.
But... I guess I have to Add a network manually? Let's try.
I got this far before I got an ugly red warning...
Now you and I both know it's just informational, but, holy shit you would be amazed how many people I've seen stop at this part and open a support ticket because "The Chain ID is current in use"🤦♂️
Alright let's keep going, what's next?
Dear lord what is this? Ugly grey question mark. Which, you cannot change? No, you cannot.
Oh, nice the Networks page is updated too. Also an improvement from the last time I looked at this.
Alright, let's go to uniswap.org - switch networks to Polygon, and then switch back to Ethereum using their network switcher in the top right...
Well... fuck me...
https://threadreaderapp.com/thread/1596157385906999296.html
MetaMask vs TrustWallet vs BlockWallet
For those also interested in possible MetaMask alternatives, also check out the following twitter thread...
Your opinion is celebrated and welcomed, not banned or censored!