On November 2nd, dApp MetaMask, among other browsers, will stop pushing Web3 into users’ browsers. The reason behind the move is the uncovered privacy issue. This means a new postMessage API is required, according to Paul Bouchon.
Ethereum wallet, MetaMask, and dApps that allow buyers to visit the distributed web have spontaneously placed a web instance for the page together with an Ethereum provider so dApps can reach the blockchain and access user account addresses and suggest transactions.
Privacy breach exposed
The current creation of dApps uncovered privacy issues. Users are at risk of losing their treasure because malicious sites can scan and attach objects. Then, they can follow Ethereum users even when the extension is locked. This type of attack is known as “fingerprinting.” This is risky as it exposes users to a variety of attacks.
Fingerprinting fraudsters have already launched a phishing campaign using the accessed data. Once they unlock the extension, criminals can view the Ethereum address of the user and access their private information like balance and transaction history.
To protect users and keep records of attacks from criminals, dApp browsers including Status, Mist, MetaMask, and imToken need updates to existing dApps.
dApp browsers will stop injecting a web instance or Ethereum provider automatically when the page loads. The dApps will now seek permission from the browser, which will then ask the user to accept or refuse access to the Ethereum blockchain. If the access is approved, the provider will get injected into the web page.
This will result in more login buttons on dApps, some of which will cause MetaMask pop-ups asking the account owner to permit site access to their information. If the site receives users approval, it will be cached until the user list is cleared.
Bouchon noted that the approval pattern is the same as the approach asking for access to users’ camera or microphone.
Users will have the authority to accept or deny blockchain access for those sites considered corrupt. This being the case, deceitful websites won’t target users without their knowledge, so account owners will have control of their privacy by introducing the provider into a web page after getting approved.
Developers to require accepted providers
dApps will send a message seeking a provider from the browser by posting a message. Developers will no longer expect a Web3 instance or Ethereum provider to be on the window when the page loads. For dApps to be notified when the user approves provider is injected, it will have to register the provider, who will then advise if the injection took place via windows.
Web3.js API, for their part, an Ethereum provider will get attached after the approval of the user and not a web instance. The dApps that load the particular version they need, require a Web3.js and not a category the browser introduces. When asking for a provider, a Web3 instance can still get injected using a Web3 flag.
There is, however, no assurance about the Web3version that it will be injected after the permission. Bouchon said the decision has been difficult for MetaMask, but it’s required to protect users from being subjected to privacy violations.
MetaMask believes by providing a user-centric web, it will protect privacy and security.