An Ethereum wallet, MetaMask, which also doubles up as a dApp browser enabling the users to access the distributed network, will be removing the injection of Web3 from their user browsers alongside fellow dApp browsers from the 2nd of November. This comes in the wake of privacy concerns that have been uncovered.
A GAP IN Dapp Browsers Discovered
The currently available dApp browsers have been proven to have privacy risk. The uncovered risk comes in the form of an exposure to access from malicious sites. The gap makes it possible for malicious sites to scan any objects within the browser as well as trace the Ethereum users even upon closing of the extension. This vulnerability is usually referred to as fingerprinting and exposes users to any number of cyber-attack.
A number of phishing campaigns were discovered on the dApp browsers as well as invasive advertisements which all had the ability to trace a user’s Ethereum address and uncover other private information about the user’s account including the account balance, transactional history etc.
Dapps To Be Updated
For the privacy concerns to be mitigated, the dApps i.e. MetaMask, Mist, imToken and Status will be undergoing updates. With the stated updates, it will no longer be possible for an Ethereum provider or web to be injected when the webpage is loading without the permission of the user.
When loading a webpage, the dApp will ask for permission from the provider in the browser and also ask the user to grant or refuse access into the Blockchain before injecting an Ethereum provider in the webpage load. If access is granted, the provider will be included in the web page.
The updates will also include a login icon in the dApps, which will prompt the user every time the user accesses the dApp, which will, in turn, lead to a MetaMask popping up asking whether the user would like to give the site permission to tap into their personal account information. A user will have the freedom to deny access to any sites they deem untrustworthy and therefore, will prevent being targeted by said websites without their permission.
Approved Providers For Developers
With the updates, developers will also experience a change in that there will no longer be a provider or a web3 instance every time a webpage loads. With the update, the dApp will show a message requesting for a provider to be injected. The dApp will then register for notification every time an approved provider is injected into the webpage.
Web3.js will also require permission from the user in order to be included in the webpage. As for the dApps that needing it, the specific version they require will have to be loaded instead of a browser injected version.
Though this change seems to have been tough for MetaMask, it has noted that the change was necessary to safeguard the privacy of their users and avoid them being subjected to any violations. It has said it is possible to safeguard its users’ privacy by creating a user-centered web.