MetaMask, a popular Web3 wallet, has warned that automatic Apple iCloud backups may pose a risk of hackers stealing digital assets from its users’ wallets.
The creator of the wallet programme has advised customers to turn off such data backups.
In a Sunday Twitter thread, the team claimed that customers’ funds can be stolen if they have activated a MetaMask data backup on their Apple mobile devices. This kind of breach may occur if someone acquired unauthorised access to the sensitive data stored in iCloud – most notably through phishing attempts.
“If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds,” the MetaMask team wrote.
The warning came only days after a MetaMask user called Domenic Iacovone claimed to have lost multiple NFTs and assets worth an estimated $655,000 in total when their iCloud account was hacked.
MetaMask advises users to turn off iCloud backups to prevent hacks. Source: zipmex
What seems to have occurred is that a hacker acquired access to Iacovone’s iCloud account and stole the wallet’s Keystore – a JSON-formatted file containing an encrypted version of the wallet’s private key required for transaction authorisation.
It’s worth noting that Apple’s mobile devices may upload app data automatically. During the backup process, files containing private keys used only on the device can be sent to Apple’s cloud servers, where malicious entities may get access through a phishing attack.
According to Serpent, the founder of a crypto-focused security startup called Sentinel, the hacker pretended to be an employee of “Apple Inc” and sent text messages to Iacovone requesting that he change his Apple ID password. The hacker used a forged caller ID to contact Iacovone on his phone number.
After getting the code, the hacker acquired access to Iacovone’s private key file. This enabled access to his MetaMask wallet and the option to withdraw the impacted assets.
Iacovone said that some of his non-fungible tokens (NFTs) were stolen during the event, including three from Mutant Ape Yacht Club (#28478, #8952, #7536) and three from the Gutter Cat Gang (#2280, #2769, #2325). Along with these NFTs, Iacovone alleged that the hacker stole $100,000 worth of APE tokens.
Regarding this occurrence, neither MetaMask nor Apple seems to be at blame. The problem happened due to Iacovone’s lax operational security combined with a natural function on Apple devices that users can disable. Nonetheless, the MetaMask team has recommended that users stop iCloud backups, detailing how to do so in a blog post.
Previously, several events targeted owners of high-value NFTs, either by email-based phishing or by circulating phishing URLs aimed at stealing control of such crypto wallets as MetaMask. Last month, the Block revealed that 35 NFTs, including Bored Apes, were stolen using phishing attempts propagated via malicious links on the social media network Twitter.