According to the firm, if an Apple user has enabled automatic iCloud backups of their MetaMask wallet data, their seed phrase is preserved online.
MetaMask, a ConsenSys-owned cryptocurrency wallet business, has issued a warning to the public concerning Apple iCloud phishing attacks.
The issue affects users of iPhone, Mac, and iPad devices since default device settings store a user’s seed phrase or “password-encrypted MetaMask vault” to iCloud if the user has enabled automatic backups of their app data.
According to a Twitter thread started on April 18 by MetaMask, users risk losing their assets if their Apple password is “not strong enough” and an attacker is able to phish their account details.
Users may resolve the issue by stopping MetaMask’s automatic iCloud backups as follows:
The MetaMask warning was issued in response to accusations made on April 15 by an NFT collector identified on Twitter as “revive dom” that this specific security flaw had wiped their whole wallet, which included $650,000 in digital currencies and NFTs.
The author of the DAPE NFT project, “Serpent” – who also helped get MetaMask’s attention by sharing the story with their 277,000 followers – earlier today provided a recap of the victim’s ordeal in a separate thread.
According to them, the victim received multiple text messages asking him to reset his Apple ID password, as well as a false call from Apple with a forged caller ID.
“revive dom” provided a six-digit verification code to confirm their ownership of the Apple account, despite their apparent ignorance of the caller. The fraudsters then hung up and gained access to his MetaMask account by using data from his iCloud account.
“revive dom” expressed his dissatisfaction with MetaMask after today’s warning, stating that:
“I’m not saying they shouldn’t do it but they should tell us. Don’t tell us to never store our seed phrase digitally and then do it behind our backs. If 90% of the people knew this I would bet none of them would have the app or iCloud on.”
While the majority of the community was supportive, several stressed the need of cold storage and doing comprehensive due diligence prior to placing assets in a hot wallet.