MetaMask, among other dApp browsers, has committed to cease injecting Web3 into user browsers on Nov. 2, on account of a recently-uncovered privacy issue, meaning it will require a new postMessage API, according to Paul Bouchon, writing in Medium.
MetaMask, an Ethereum wallet and dApp browser that allows users to visit the distributed web, has automatically injected a web instance for the web page along with an Ethereum provider, enabling the dApp to reach the blockchain, access user account addresses, and propose transactions.
Privacy Gap Uncovered
The existing generation of dApp browsers, however, contains a privacy exposure. Malicious sites can scan the injected objects and track Ethereum users, even when the extension is locked. Such an attack is referred to as “fingerprinting” and make users vulnerable to a variety of attacks.
For example, malicious players have already been able to launch phishing campaigns and invasive advertising using the exposed data. Once the extension unlocks, the nefarious players can also see the victim’s Ethereum address, from which they can gain access to private information, such as transaction history, balance, and other information.
Updates To Be Required
To protect the privacy, dApp browsers including MetaMask, imToken, Status, and Mist will require updates to existing dApps.
The dApp browsers will no longer automatically inject a web instance or Ethereum provider when the page loads. The dApps will have to request a provider from the browser that will then ask the user to approve or disapprove access to the Ethereum blockchain. The provider will be injected into the web page if access is approved.
Users will start to see more “login” buttons on dApps, one of which will cause a MetaMask pop-up requesting the user to grant site access to their account information. The sites that are approved will be cached until the user’s list is cleared.
The approval pattern is similar to asking for access to a user’s microphone or camera, Bouchon noted.
Ethereum users will be able to deny blockchain access for those websites they consider untrustworthy. This way, unwanted websites will not be able to target them without their knowledge. Instead, users will have control over their privacy by injecting the provider into a web page after granting approval.
Also read: Google removes MetaMask from Chrome extension store
Developers To Need Approved Providers
Developers, for their part, will no longer be able to expect a Web3 instance or Ethereum provider to already be on the window when a page loads. Instead, dApps will post a message asking for a provider from the browser by posting a message. The dApps will have to register to be notified when the user approved provider is injected. The provider will know if injection occurs via window.ethereum, and will simultaneously have to ask for a provider.
For the Web3.js API, an Ethereum provider will be injected following user approval, not a web instance. The dApps that need Web3.js will have to load the particular version they need rather than a version the browser injects. A Web3 instance can still be injected by using a Web3 flag when asking for a provider.
There is no guarantee about the Web3 version that will be injected after the request is made, meaning the method is only suggested for convenience in debugging and developing.
The change has been a tough decision for MetaMask, Bouchon noted, but it is necessary to prevent users from being subjected to violations of privacy.
MetaMask believes it can protect privacy and security in providing a user-centric web.
Featured Image from Shutterstock