MetaMask Broadcasts Users' Ethereum Addresses to Visited Websites

Popular Ethereum wallet MetaMask has been broadcasting users’ Ethereum wallets to the websites they visit. This allowed third parties to see ETH addresses and potentially link them to their browsing activity, as was reported by GitHub users.

Thus, any advertisement, or tracker can detect MetaMask users’ Ethereum addresses through them and potentially link the address to users’ browsing activity – compromising anonymity. Despite that MetaMask has a built-in “privacy mode” that could stop this from happening, that needs to be manually activated by the user. If it isn’t enabled, it sends websites what are known as “message broadcasts.”

The user who created the GitHub issue wrote:

“It sacrifices the privacy of everyone in the system because sites like Amazon, Google, PayPal, and others can link your blockchain transactions to credit card payments, thereby your identity, and the identity of the last person you transacted with – a person who wants to remain anonymous.”

Lead developer Dan FINLAY revealed enabling privacy mode by default could damage dApps that rely on Ethereum address requests made without it. He explained that they haven’t enabled this by default, because it would break previous dapp behavior.

Image courtesy of Ethereum World News