On November 5, the MetaMask browser extension developers introduced “Privacy Mode” for MetaMask.
But when it comes to user privacy, this behavior is less than perfect. Dapp browsers like MetaMask show the Ethereum provider object to any site you visit, which means your Ethereum address is indiscriminately exposed. Since the blockchain is public, your account balance and entire transaction history are retrievable by anyone with your address. Malicious sites can use this data to fingerprint, phish, or track unsuspecting users.
According to the announcement, as of version 4.18, MetaMask users will see a new option in their settings. Enabling Privacy Mode means websites have to ask to see your Ethereum accounts.
By default, MetaMask will remember which sites you’ve allowed to access your addresses. A future version of this feature will let users un-check an option to “Keep me connected to this site,” requiring that site to request access each time you visit.
At first, Privacy Mode will be opt-in (and turned “off” by default). To use privacy mode, users should first activate it.
The announcement adds that Privacy Mode will eventually be the default experience for all MetaMask users.
At the end of October, during the Ethereum’s annual developer conference Devcon4 the MetaMask mobile app was announced.