Data harvesting found in MetaMask, Avalanche web extensions
A researcher who found evidence of data harvesting inside Ledger Live has revealed equally disturbing harvesters inside MetaMask and Avalanche browser extensions.
MetaMask, the world’s most popular crypto wallet, uses a single pixel (‘1X1’) iFrame to embed trackers into its browser extension. The Ethereum- and ConsenSys-backed extension contains a data harvesting ‘analytics_iFrame’ within its code.
For context, the iFrame is an old trick by web marketers. Publishers would secretly serve ad code inside an iFrame displayed as one, invisibly small pixel — tolling untold profits through invisible ad impressions. Due to years of iFrame abuse, many web browsers and advertising platforms ban iFrames altogether.
Many browsers and advertising platforms ban iFrames — but MetaMask still uses them.
However, MetaMask still uses an invisible iFrame — perhaps hoping that no one would have thought to look through its outdated bits of CSS code. The iFrame within the browser extension circumvents traditional web safety services because the user voluntarily installs the extension and approves its permissions.
Naturally, MetaMask requires new users to agree to its terms of use. It vaguely disclaims responsibility for third-party content and services — without specifically naming iFrame trackers, of course.
By the way, just noticed Metamask uses a 1×1 pixel iframe for analytics LOL
This is a web trick from the old days! Using 1×1 invisible GIFs to track page loads, later iframes. pic.twitter.com/lBMD7GKbny
— REKTBuildr 🔺🔺🔺 (@rektbuildr) December 10, 2023
“You access, rely upon, or use any third-party content or third-party service at your own risk. Consensys disclaims all responsibility and liability for any losses on account of your reliance upon or use of such content or services.”
MetaMask’s terms do not clarify whether these third-party offerings include data harvesting or code hidden within iFrames.
Another data harvesting operation: Avalanche
The same researcher who exposed data harvesting inside Metamask and Ledger Live also revealed concerning web extensions in another crypto wallet: Avalanche.
Avalanche added analytics code to its Core App Chrome extension. Avalanche used to make all its code open source. However, at some point, it changed its licenses. The analytics portion of Avalanche’s extension is not open source.
The analytics portion of Avalanche’s extension is not open source.
Read more: Researcher finds data harvesting inside Ledger Live app
Data harvesting includes transaction data, mouse clicks, and other actions users take while using Avalanche’s wallet browser extension and its token, AVAX.
Naturally, researcher REKTbuildr questioned why these web extensions, which also serve as crypto wallets for millions of people, need to use analytics trackers at all.
As with REKTbuildr’s critique of Ledger Live, the researcher expects that Avalanche allows transmission of anonymized audience data to internal UI/UX teams or third-party advertisers.