Apple users are being warned by cryptocurrency wallet MetaMask about some security vulnerabilities associated with iCloud backup.A report from CoinTelegraph states that the warning is for all iPhone, iPad and Mac users against potential phishing attacks. This includes some default device settings that store MetaMask users’ seed phrases on iCloud whenever an app enables automatic backups for data. The seed phrase is also known as the “password-encrypted MetaMask Vault”.
Crypto wallet MetaMask is warning its community of users about possible phishing attacks through Apple’s iCloud service. In a tweet on April 17, the company warned its users that the encrypted passwords for their accounts, called MetaMask vaults, will be uploaded to Apple’s cloud service if the iCloud backup option is enabled on the app. As a result, a phishing account that compromises a user’s iCloud account will also compromise their passwords and hence their crypto wallets.
“If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds,” the tweet read, followed by two others that showed users how to disable iCloud backups on their MetaMask wallets.
MetaMask’s warning isn’t a random post from a company looking to brand itself as a security-conscious firm. The Twitter thread was posted after a user, who goes by Domenic Iacovone on Twitter, posted that his entire MetaMask wallet had been “totally wiped out”.
On April 15, the user tweeted that his MetaMask wallet contained non-fungible tokens (NFTs) MAYC 28478, MAYC 8952, and MAYC 7536 from the Mutant Ape Yacht Club (MAYC) 10K project. It also had 100K in Ape coin and other NFTs, the user said.
“This is how it happened. Got a phone call from Apple, literally from Apple (on my caller Id) Called it back because I suspected fraud and it was an Apple number. So I believed them. They asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped,” the user wrote in his thread.
According to “Serpent”, the founder of a project called DAPE NFT, the contents of the user’s wallet were worth $650,000. He explained the hack in a separate Twitter thread, saying, “MetaMask actually saves your seed phrase file on your iCloud. The scammers requested a password reset for the victim’s Apple ID. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim’s MetaMask.”
Users under threat
MetaMask’s warning isn’t to be taken lightly either. The company runs one of the largest crypto wallets in the world in terms of the user base. While MetaMask has competitors, like Ronin, the company had announced in March that it surpassed the 30 million user mark worldwide.
In fact, its chief competitor Ronin was also part of a crypto hack recently. The wallet attached to the popular NFT game Axie Infinity suffered a $625 million hack last month. That hack, however, was much more complex than the MetaMask phishing scam explained above.
According to him, the MetaMask Vault stored in Apple users’ iCloud credentials can lead to “stolen money,” which is why he taught people how to disable their iCloud backups to avoid phishing attacks. If you are a MetaMask user, you need to:
- Go to Settings > Profile > iCloud > Manage Storage > Backup, then turn the toggle off.
- To make sure iCloud won’t “surprise” you with backups you didn’t allow, go to Settings > Apple ID/iCloud > iCloud Backup and turn it off.
Metamask has also warned that something bad has happened to their user as a result of a phishing attack. He mentioned a Twitter user called revive_dome who had his entire wallet containing $650k worth of crypto and NFTs wiped out.
How did the phishing attack happen?
The Metamask user, who posted that he is offering a 100k bounty to anyone who got (or helped get) his digital assets back, also tweeted how everything went down.
According to him, he got a call from Apple on his caller ID which seemed quite legitimate. Suspecting a scam, he called back the above Apple number and someone answered, asking for a code that was sent to his phone. It is believed that he told them the code, and that his entire metamask was wiped “2 seconds later”. It’s safe to assume that the answering caller seemed genuine enough to fool the user in spades.
This makes a phishing attack recursive, which is something that can go beyond just emails containing scam links. It is quite possible that the malicious code sent to his phone in the guise of OTP (One-Time Password) was the same which led to the theft of his assets. This is a hallmark of phishing to trick you into doing something you never intended.
In total, the user lost 132.86 ETH (over $400k at the time of the theft) from his wallet and 252,400 USDT for a total loss of $655,388.
Following the theft and the discovery of a security flaw, many MetaMask users have stressed the importance of using cold storage for all of your digital assets. In addition, he also preached that people be extra careful when storing what they put inside hot wallets.