I’m seeing lots of people getting scammed and having assets stolen from metamask wallet.
People are stupid, don’t read the terms of use, so you metamask, need to be more proactive. How?
Simple. Put a listener in the plugin that detects when the user is pasting or typing the secret phrase anywhere! If the user do that, you popup an scandalous alert with noise red flag and all that, with a huge drastic warning from the fox character, saying something like:
" Hey, it’s me, metamask fox. I’m very angry at you right now!! Are you giving my phrase to anyone!? are you an idiot!? Delete it right now, be noticed that you were about to get scammed !!
Do you want to lose everything in your wallet!? No? So don’t put my phrase anywhere that is connected to the internet ever again ! If you already sent it to the scammer, change your password and pass phrase right now !!"
Bump. Seed word scamming is running rampant, this seems like a simple fix that could easily catch a significant number of disclosures.
This is especially important with all the copycat metamask “pop-ups” which are really just UI elements on a web page that appear at the top right and are extremely convincing.
I wonder if we even need to check if it’s THEIR SRP , or just anything that matches 12+ BIP39 words? Not sure if it makes it easier or not.
I particularly like the @cadastro 's framing of an angry fox! Could make it really funny/jarring and i could see it getting a bit of play on social media.
There should be a toggle to disable functionality for advanced users.
We’ll need to be careful about what is possible here as far as firing events, I imagine users would copy/paste and depending on what hooks are available, I’d be worried the page’s javascript could simply post the contents before the hook could shut it down (but i’m not super familiar with the event model and what is possible here)
Bowen and I are talking about this IRL right now and I kinda like it. I also think it would be possible to do, entirely client side, potentially opt-in only.
Basically
intercept any paste command
check to see if its >48 characters and <~300 characters
check if it contains >6 (8?) of the words found on the list of 2048 words (as specified by github / bitcoin/bips/blob/master/bip-0039/english.txt)
If so, throw an alert to the user. If user chooses to continue, they can, which will complete the initial paste command they attempted.
Bowen also brought up that it may be annoying for developers who are using explicit testing keys and copy and pasting them a lot so having a disable option is def a requirement.
Would also need to ensure it didn’t cause panic by users thinking that their phrase is being sent somewhere / metamask is monitoring all their things.
And, lastly, we would want to make sure that this feature is not causing the secret recovery phrase from being stored in memory more than it otherwise would be.
I think it should be opt-out, none of the users who need the feature would ever turn it on. I think it’s rare enough to need to paste a SRP, and that anyone who does need it is already very familiar with the metamask options page (reset nonce, etc).
I often paste SRP’s, and I would turn the feature off, but would grin the first time i saw the angry fox.