MetaMask Privacy Is Worse Than It Looks
As an affiliate, we may earn from qualifying purchases. We get commissions for purchases made through links on this website.
Receive $10 in Bitcoin when you buy or sell $100 or more on Coinbase! https://mathisenmarketing.com/coinbase
The latest update to ConsenSys’ Infura API tool has caused quite a stir in the Ethereum community. As announced yesterday, Infura will immediately begin collecting and sharing MetaMask users’ IP and Ethereum addresses.
ConsenSys had announced this on November 23. However, the company downplayed the changes in its blog post.
It stated that only for “clarification of the data collected by Infura when users use Infura as their default RPC provider in MetaMask.”
“The practical updates do not cause more disruptive data collection or data processing, and they have not been made based on changes in regulations or inquiries.
Our policy has always stated that certain information is automatically collected about how users use our sites, and that this information may include IP addresses,” ConsenSys said.
At the same time, ConsenSys emphasized that when users interact with Ethereum through Infura, for example by sending a transaction or requesting an account balance, the service provider receives both the user’s IP address and wallet address.
“This is not specific to Infura,” ConsenSys claimed, adding that it continues to “seek technical solutions to minimize this exposure, including anonymization techniques.”
However, when users use your own Ethereum node or a third-party RPC provider with MetaMask, ConsenSys says that “Neither Infura nor MetaMask store your IP address or Ethereum wallet address.”
Is the privacy update even worse for Ethereum and MetaMask clients?
It should be noted that Infura is vital to the Ethereum blockchain. The tool is used by many other prominent Web3 projects, such as Polygon, Filecoin, Aragon, Gnosis, and OpenZeppelin.
Adam Cochran, Partner at Cinneamhain Ventures comment that “the MetaMask stuff is worse than it first appeared.”
Not just collecting data when you send tx – when you unlock the wallet, it stores ALL your addresses on the same IP address.
This database creates a HUGE doxxing risk for the space. Time to give up the World Cup.
Cochran refers to a tweet from Micha Zolt, who wrote bug report via GitHub. According to Zoltu, Infura captures more than ConsenSys admits. The tool collects the IP address as well as all accounts and all addresses as soon as the user opens an account.
“This also applies to other chains, as a user connecting to the testnet or L2 via MM also sends all their accounts to the RPC provider of that chain, not just the selected account,” Zoltu wrote on GitHub.
Bitcoin analyst Dylan LeClair commented only “Probably nothing” and “Caution” on Twitter, noting that Infura made a controversial move against privacy back in September when it blocked access to Tornado Cash.
LeClair also noted that JPMorgan received a significant stake in lucrative ConsenSys intellectual property (IP), particularly MetaMask and Infura, as the lawsuit against ConsenSys came to light this year.
At the time, a group of ConsenSys shareholders demanded an investigation into the deal in which JPMorgan bought a significant stake in Ethereum infrastructures Infura and MetaMask. Turns out JP Morgan got a 10% stake. The agreement was known as “Project North Star”.
At press time, Ethereum (ETH) was trading at $1,183 and bouncing off support at $1,171.