Description:
So, I connected my wallet to **** which uses magic wallet auth in my regular brave session. Then I go into a private session, my expectation is that no cookies or browser information are accessible (Brave prevents fingerprinting). I am using a VPN. Clicking the mm connect on this site in private browse mode, prompts me for MetaMask wallet. I unlock the wallet, and they’re able to deduce my wallet information as soon as MM unlocks. I am not sure how they are doing this, because MetaMask does not even show them in “connected sites” at this point. So I am fairly sure the only method they could be using is MetaMask is leaking some sort of “installation ID” to this site. The request is to look further into this and add a privacy option that blocks this type of wallet snooping.
Purpose:
I want to prevent that from happening, as these sites can also access things like google authentication cookies and tie my real world identity. My expectation is they do not have a unique identifier of my MetaMask instance which they can grab across private and non-private sessions.
Extension/Mobile/Both:
Only tested on Desktop Wallet
So, my concern is slightly different from this one. I am not running frame or other desktop connections. Chrome/Brave now DOES allow sharing of extension information now… so this is not the main concern I have. The concern is, how does this macys parade + magic deduce my wallet information without any cookies/sitedata present, just as soon as I have unlocked MetaMask (before I connect)? And even after they deduce the wallet, MetaMask does not even show the site has connected, as seen in my screenshot.
When I create a separate browser profile – they are unable to deduce it.
Does MetaMask share some information with the site?
You can test this on the macysparadevote site + magic by following the steps I mentioned.
