Security researchers at Halborn have disclosed an instance where a Secret Recovery Phrase used by web based wallets like MetaMask could be extracted from the disk of a compromised computer under some conditions.
The following does not impact MetaMask Mobile users, and impacts a small segment of MetaMask Extension users as well as users of other browsers/extension wallets. Halborn felt this violated the user expectations of our password lock feature, and could therefore put some users at risk. We have since implemented mitigations for these issues, so these should not be problems for users of the MetaMask Extension versions 10.11.3 and the current version at the moment is 10.15.0.
If all of the following three conditions apply to you, you may be at risk, and you should read below for the next steps:
1) Your hard drive was not encrypted
2) You imported your Secret Recovery Phrase into a MetaMask extension on a device that is in possession of someone you do not trust, or your computer is compromised
3) You used the “Show Secret Recovery Phrase” checkbox to view your Secret Recovery Phrase on-screen during that import process. (see below image)
Go and update our browser and Metamask itself to the latest version
This affects:
All desktop operating systems and browsers that we have tested.
We tested on Windows, macOS, and Linux, with Google Chrome, Chromium, and Firefox browsers.
All versions of the MetaMask extension (prior to v10.11.3) on all browser versions.
This does not affect MetaMask Mobile.
The Secret Recovery Phrase does get cleared eventually, but we cannot make guarantees about when at this time.
This vulnerability is most likely to affect users who had a device compromised or stolen soon after importing their Secret Recovery Phrase into MetaMask.
If all of the above conditions apply to you, then your Secret Recovery Phrase may be accessible to someone with access to the computer you imported your Secret Recovery Phrase on, and you may want to consider migrating funds from those accounts to be safe.
Halborn has prepared a guide to migrate account funds here.
Use of any third party migration tools must be used at your own risk.