What is MetaMask?
MetaMask is a cryptocurrency wallet that lets you store Ether and ERC-20 tokens. Users can access this wallet through a mobile app or a browser extension. Users can also use the wallet to interact with dApps – or decentralized applications.
MetaMask is installed as a browser extension and used as an Ethereum wallet. Users can make transactions with any Ethereum address, giving them access to the world of Web3, decentralized finance apps (dApps), and NFTs. For detailed information on Web3, head to our article where we have Web3 and Web2 explained.
Users can connect MetaMask to Ethereum-based dApps to spend coins in games and trade them on decentralized exchanges like Uniswap. With its simple interface and easy setup, MetaMask has amassed 21 million monthly active users, making it a favorite amongst cryptocurrency beginners. But is MetaMask safe?
How safe is MetaMask?
Before deciding whether to use MetaMask or not, you should be aware of some of the safety concerns around the platform.
IP Leaks: the 2022 MetaMask security flaw
Earlier this year, a security analyst and cryptographer found a critical privacy vulnerability concerning user IP leaks. By sending an NFT to users of a mobile MetaMask wallet, a malicious actor can obtain a user’s IP address. This is possible when MetaMask fetches IP address data from a centralized server.
Should we be worried about IP leaks?
Yes. The risks associated with IP leaks are dangerous and often underestimated. Malicious actors can derive information from your IP address like your geolocation, and frequently visited places. This information can easily be used to assist in physical attacks like kidnapping, stalking, and identity theft. Users are also at risk of having their crypto assets stolen.
Note: To our knowledge, MetaMask hasn’t declared a solution to this problem yet.
Other MetaMask concerns
MetaMask comes with some other security concerns too, which any potential user should be aware of.
MetaMask is a hot wallet
MetaMask is a crypto wallet that is connected to the internet. This makes it more vulnerable than offline wallets to hacking, theft, and phishing attacks. For instance, If you were to fall for a phishing email that infected your device with a keylogger or virus, then you could have your credentials and assets stolen.
MetaMask is a browser wallet
Browser plugins or extensions operate through your browser and are constantly connected to the internet. Being an online wallet, your browser will collect information about how and when you use MetaMask. This can be a potential privacy concern for cryptocurrency users.
MetaMask also holds private keys in your browser. While this makes the app easier to use, it presents serious risks if your browser is hacked.
Note: MetaMask uses open source code and can only be decrypted with your MetaMask password and secret phrase. It is important to consider that malicious actors can brute-force most passwords to reveal them.
4 ways to use MetaMask safely
The security of MetaMask depends on how secure your device is that you keep the wallet on, how safe your phrase key is, and your ability to spot a phishing email. Here are some safety tips:
1: Don’t store your passwords in your browser
If you store your passwords in your browser or device, don’t. If your browser or device gets hacked via malware it could expose your stored passwords. Your MetaMask assets are also at risk if your device is stolen.
What to do instead: Store your passwords and passphrases in a secure password manager. NordPass will store them in a decentralized encrypted vault that only you can access. It uses the state-of-the-art XChaCha20 encryption algorithm and includes a data breach scanner.
2: Use a hardware wallet with MetaMask
Store your coins in a hardware wallet and sync them with MetaMask. A hardware wallet is less risky than a digital wallet because your private keys and coins are stored offline.
Which hardware wallet to use: Good options include the Ledger Nano X, Trezor Model One, and SafePal S1. Most hardware wallets support multiple types of cryptocurrencies and connect via Bluetooth.
3: Learn to spot a scam
Phishing attacks are probably the easiest way to ransack a cryptocurrency wallet. If you click on a link that downloads malware onto your device, your assets could get stolen. A phishing link could also direct you to a fake version of the MetaMask website to steal your wallet credentials.
What to do: Always download MetaMask from the official website. It’s also wise not to click on links within text messages or emails without checking the address. Here are some easy ways to spot a phishing email.
4: Scan for malware
Malware can live in your files. It can override your system, steal your passwords and cause your device to malfunction. The scariest part is that malware often goes undetected.
What to do: Get malware protection. Considering that you might have accidentally downloaded malware from a phishing email, NordVPN Threat Protection is a great way to protect your MetaMask wallet. It scans files you’re downloading to stop malware in its tracks.