According to MetaMask and Phantom, a new ‘Demonic’ vulnerability might disclose a crypto wallet’s secret recovery phrase, allowing attackers to steal NFTs and bitcoin contained within it. Seeds, also known as recovery phrases, are a collection of words that serve as a human-readable version of your wallet’s private key.
Anyone who has the recovery phrase for a wallet can import it onto their own devices, allowing them to take all of the cryptocurrency and NFTS it contains. The ‘Demonic’ vulnerability was identified by Halborn, a blockchain cybersecurity firm that discovered the hole in September 2021 and notified wallet vendors to fix it.
Browser feature leads to exploitation
The Demonic flaw is identified as CVE-2022-32969, and it is caused by the way web browsers preserve non-password input fields to disc as part of their usual “restore session” system. When using Google Chrome or Mozilla Firefox, data entered into text fields (other than password fields) will be cached so that the browser can restore the data in the event of a crash using the ‘Restore Session’ option.
Because browser wallet extensions like Metamask, Phantom, and Brave employ an input area that isn’t labelled as a password field, a user’s recovery phrase is saved on the disc in plain text format.
With access to the computer, an attacker or malware may grab the seed and use it to import the wallet onto their own devices. Physically seizing the computer, having remote access, or compromising it with a remote access trojan would be required for this attack, which is prevalent in highly-targeted and persistent attacks.
Even if a hard disc is stolen, the attacker will not be able to retrieve the recovery phrase unless they have the decryption key. According to Halborn, another requirement for exploitation is that the victim used the “Show Secret Recovery Phrase checkbox” to examine the phrase during import, which activates local disc storage.
This action may be rather typical, as many people use that feature to double-check that they’ve input the correct words, which is important because those phrases are long and it’s possible to type something incorrectly.
The recovery phrase will remain accessible to malicious actors once the seed is stored in the disc, according to Halborn, regardless of whether the system is rebooted or the wallet browser extension is deleted.
Fix the situation and make recommendations
With wallet extension version 10.11.3, Metamask addressed the issue, xDefi addressed ‘Demonic’ with version 13.3.8, and Phantom patched the catastrophic bug in April 2022.
While writing this, Brave has yet to issue a statement on Demonic and has failed to answer Bleeping Computer’s email. When we receive a statement, we will update this site.
If you suspect this problem has affected you, the best course of action is to move all of your assets to a new account.
Users with a lot of digital assets should always utilise disc encryption and avoid copy-pasting complete phrases into their browsers or even desktop apps, because the clipboard is another source of information leakage.
The most secure wallet is still a cold wallet, thus it’s still the best option for cryptocurrency and digital investment holders who can cope with the inconveniences.
On a separate webpage, Halborn has compiled a list of security guidelines for wallet developers. Users who wish to know how secure their wallets are should read the instructions.
