MetaMask, among other dApp browsers, is committed to suspending the injection of Web3 in user browsers on November 2, due to a recently discovered privacy issue, which means which will require a new postMessage API, according to Paul Bouchon, in Medium.
MetaMask, an Ethereum portfolio and a dApp browser that allows users to visit the distributed Web, automatically injected a Web instance for the web page together with an Ethereum provider, allowing dApp to reach the blockchain, access to user account addresses and propose transactions.
Privacy Gap Uncovered
The current generation of dApp browsers, however, contains a & rsexposure on privacy. Malicious sites can scan injected objects and monitor Ethereum users, even when the extension is blocked. Such an attack is called "fingerprinting" and makes users vulnerable to a series of attacks.
For example, malicious players have already been able to launch phishing and invasive advertising campaigns using the data exposed. Once the extension is unlocked, nefarious players can also see the victim's Ethereum address, from which they can access private information, such as transaction history, balance and other information.
Updates to request
To protect privacy, dApp browsers including MetaMask, imToken, Status and Mist will require updates to existing dApps.
dApp browsers no longer automatically inject a Web instance or Ethereum provider when the page loads. DApps will need to request a browser provider that will ask the user to approve or disapprove of access to the Ethereum blockchain. The provider will be inserted in the web page if the access will be approved.
Users will begin to see multiple "access" buttons on dApps, one of which will cause a MetaMask pop-up requesting the user to grant access to their account to their information account. Approved sites are cached until the user's list is deleted.
The approval model is similar to asking for access to a user's microphone or camera, Bouchon noted.
Ethereum users will be able to deny blockchain access for those websites they consider unreliable. In this way, unwanted websites will not be able to direct them without their knowledge. Instead, users will have control over their privacy by injecting the provider into a web page after giving approval.
Read also: Google removes MetaMask from the Chrome extensions archive
Developers who need approved providers  The developers, for their part, will no longer be able to expect a Web3 instance or an Ethereum provider is already in the window when a page is loaded. Instead, dApp will publish a message asking a provider from the browser by publishing a message. DApps must register to receive notification when the supplier approved by the user is injected. The provider will know if the injection takes place via window.ethereum and at the same time will have to ask a supplier.
For the Web3.js API, an Ethereum provider will be injected after the user's approval, not a Web instance. The dApps needing Web3.js will need to load the version specification they need rather than a version that the browser injects. A Web3 instance can still be injected using a Web3 flag when requesting a provider.
There is no guarantee on the Web3 version that will be injected after the request, which means that the method is suggested only for convenience in debugging and
The change was a difficult decision for MetaMask, he noted Bouchon, but you must prevent users from being subject to privacy violations.
MetaMask believes it can protect privacy and security by providing a system that focuses on the web user.
Close-up image of Shutterstock
Follow us on Telegram or subscribe to our newsletter here.
• Join the CCN crypto community for $ 9.99 a month, click here
• Do you want exclusive analysis and in-depth analysis encrypted by Hacked.com? Click here.
• Open positions on CCN: sought-after full-time and part-time journalists.