MetaMask and Phantom have warned their users about the Demonic vulnerability, which allows attackers to learn secret phrases to restore access to cryptocurrency wallets and, accordingly, steal funds and NFT tokens stored in them. Specialists of the Halborn organization dealing with blockchain security discovered the problem in September 2021 and reported it to the developers of cryptocurrency wallets.
Recovery phrases or so-called LED phrases are a set of words that play the role of a key to a cryptocurrency wallet that is understandable to a person. Anyone who gets access to the seed phrase will be able to import the wallet to their own device and use its contents.
The vulnerability, which received the identifier CVE-2022-32969, is related to how browsers save the contents of data entry fields (not passwords) to disk as part of a standard session recovery mechanism.
Google Chrome and Mozilla Firefox cache data entered by the user in text fields (except passwords) in order to restore them in case of an emergency shutdown. Since browser extensions such as Metamask, Phantom and Brave use fields that are not intended for entering a password to enter a passphrase, it is saved to disk in text form.
An attacker or malware with access to a computer can steal the seed phrase and import the crypto wallet to another device. To carry out the attack, physical access to the computer or remote access is required (for example, through a RAT Trojan). However, if the hard drive is encrypted, even if an attacker manages to steal its contents, without a cryptographic key, he will not be able to extract the seed phrase.
As the Halborn experts explained, in order to successfully carry out the attack, the victim needs to tick the box next to “Show the phrase for recovery”. However, this is not a problem, since many people use this function to make sure that they are entering the right words, because the phrase is long, and it is very easy to make a typo.
Metamask fixed the issue in extension version 10.11.3, xDefi fixed it in version 13.3.8, and Phantom fixed it in April 2022. Brave has not yet released any statement regarding the vulnerability.