Apple users are being warned by cryptocurrency wallet MetaMask over some security vulnerabilities involving iCloud backups.
In a report by CoinTelegraph, the warning is said to be against potential phishing attacks for all iPhone, iPad, and Mac users. It involves certain default device settings which store MetaMask users' seed phrase onto iCloud, whenever anyone enables automatic backups for app data. The seed phrase is also called a "password-encrypted MetaMask vault."
In other words, if you turn on automatic iCloud backups of your MetaMask wallet data, your seed phrase is being stored online where it is vulnerable to hackers. These attackers can then steal your funds from under your nose.
MetaMask posted the warning to their Apple users on their Twitter account recently:
According to them, the MetaMask vault being stored in Apple users' iCloud credentials can lead to "stolen funds," which is why they taught people how to disable their iCloud backups to avoid phishing attacks. If you're a MetaMask user, here's what you need to do:
- Go to Settings > Profile > iCloud > Manage Storage > Backups, then turn off the toggle.
- To ensure that iCloud will not "surprise" you with backups you didn't allow, go to Settings > Apple ID/iCloud > iCloud Backup and turn it off.
MetaMask has also warned that something bad has already happened to a user of theirs as a result of a phishing attack. They mentioned a Twitter user called revive_dom who had their entire wallet containing $650k worth of crypto and NFTs wiped clean.
How Did The Phishing Attack Go?
The MetaMask user, who posted that he's giving a 100k reward to anyone who gets (or helps get) his digital assets back, also tweeted how everything went down.
According to him, he got a phone call from Apple on his caller ID which looked quite legitimate. Suspecting a scam, he called the aforementioned Apple number back and somebody answered, asking for a code that was sent to his phone. It is assumed that he told them the code, and his entire MetaMask was wiped "2 seconds later." It is safe to assume that the caller who answered sounded real enough, which fooled the user in spades.
This does reek of a phishing attack, which is something that can happen beyond just emails with scam links. It is very likely that the malicious code sent to his phone in the guise of something like an OTP (one-time password) was the one that led to his assets being stolen. That is one of the hallmarks of phishing-tricking you into doing something you never intended.
In total, the user lost 132.86 ETH from his wallet (over $400k at the time of the theft) and 252,400 USDT for a total loss of $655,388.
In the aftermath of the theft and the discovery of the security flaw, many MetaMask users have emphasized the importance of using cold storage for all your digital assets. Aside from that, they also preached that people be extra careful when storing what they own inside a hot wallet.
Read also: Axie Infinity's Ronin Crypto Heist: FBI Says North Korean Hackers Were Behind $600 Million Breach
This article is owned by Tech Times
Written by RJ Pierce