News

MetaMask introduces “privacy mode”

On November 5, the MetaMask browser extension developers introduced “Privacy Mode” for MetaMask.

As we know, the extension makes it possible to interact with a whole world of websites built on the Ethereum blockchain. On any site you visit, MetaMask automatically adds in a small JavaScript object which developers call an “Ethereum provider.” This allows websites to do things they otherwise couldn’t: propose Ethereum transactions, ask for your signature, query the blockchain, and so on. It’s how dapps get your account balance, or what lets exchanges ask for your tokens.

But when it comes to user privacy, this behavior is less than perfect. Dapp browsers like MetaMask show the Ethereum provider object to any site you visit, which means your Ethereum address is indiscriminately exposed. Since the blockchain is public, your account balance and entire transaction history are retrievable by anyone with your address. Malicious sites can use this data to fingerprint, phish, or track unsuspecting users.

According to the announcement, as of version 4.18, MetaMask users will see a new option in their settings. Enabling Privacy Mode means websites have to ask to see your Ethereum accounts.

By default, MetaMask will remember which sites you’ve allowed to access your addresses. A future version of this feature will let users un-check an option to “Keep me connected to this site,” requiring that site to request access each time you visit.

At first, Privacy Mode will be opt-in (and turned “off” by default). To use privacy mode, users should first activate it.

The announcement adds that Privacy Mode will eventually be the default experience for all MetaMask users.

At the end of October, during the Ethereum’s annual developer conference Devcon4 the MetaMask mobile app was announced.