EIP-1102 and ÐApps phishing attacks

According to securelist.com only in 2018 Q2 attackers got more than 2 million dollars thanks to different phishing attacks to some ICO sites.

One vector of attack was the very well-known wallet Metamask.io, fortunately, the attack was minimized very quickly by the Metamask development team blacklisting vulnerable sites.

The attackers were trying to get the seed mimicking a Metamask window asking for the user seed:

Phishing window used by attackers

Finally, in November 2018, Metamask team fixed the issue implementing the EIP-1102 proposal.

The attackers were able to identify Metamask users because Ethereum accounts were always exposed to the browser, so the proposal is basically to keep this user information private unless the user gives permission to expose this information to the browser.

Now the ÐApp standard behaviour is to ask first permission to the user to connect with Metamask, like:

ÐApps needs to ask permission to the user before accessing private accounts data

Stay safe, never share your seed or keys and give permission only to websites you trust.

In WPSmartContracts we have released the EIP-1102 version of the Ethereum Smart Contracts plugin.

Download here

WPSmartContracts (@wpsmartcontract) | Twitter