STAYING SECURE WHILE USING THE STARL TOKEN & METAMASK
a briefing by Osama
As we all know, security is the biggest division factor when it comes to not only accessing or using a service, but especially when it institutes a financial risk factor. It is important to underline the effective options that ANY individual can do in order to sustain a secure and viable option to feel safe online when using these services. Essentially the goal here is to have everybody feel invited to use these things without some sort of panic or figurative FUD that might come into play when utilizing them. Attackers are constantly manipulating the social norms at a very high level in this current day-in-age and I hope to cover some of the techniques used by them in order to help the community understand how to bar against these methods and stay safe and secure, especially when utilizing the STARL token.
IN BRIEF OF WHAT YOU READ BELOW, UNDERSTAND THAT THOUGH IT MAY BE COMPLICATED FOR MOST INDIVIDUALS TO UNDERSTAND THE PRACTICES HERE, YOU ARE SAFE AND SECURE AND METAMASK IS PROVING ITS WORTH TO THE STARL COMMUNITY!
POINT: METAMASK AUDITING REVIEW
When we look at the functionality of the MetaMask wallet, we ask ourselves when using this how secure we really are...Are attackers creating new methods/exploits in order to take what we have? Are we able to sustain confidence that we can leave our funds in these services without a chance of them being gone? We will dive into the audit of the MetaMask product to show examples of such things now!
Please note that all information placed in this article has already been reported & patched by the MetaMask team and these are just overviews of security concepts that are driven from the audit performed on July 29th, 2021.
Overall we can say that MetaMask has been structural for the most part of its development. It offers a simple understanding and it is clear and concise, the only downside is that there are some external dependencies that are used quite frequently and in lieu of that, it is not easy by any means in some instances to actually follow these code paths. This means that there is no available options to actually discover the full amount of packages that are created by the MetaMask team. Generally speaking it should not be taken to heart too much, as it’s not that severe. However it does mean that when it’s being audited, it will face many problems in terms of showing validity in areas that we cannot see because we cannot verify if they are from the direct vendor or not. This is nothing new in reference to security
We can see that the most direct audit issue we have found is that in the function of “safelyExecute” there is a direct call to a supplied function that handles exceptions of errors that occur. While this is it’s intended purpose of it, a user that can call this function and execute arbitrary code by modifying the safety measures in place that it uses to catch exceptions. This can be done by creating an alternative call for the "safelyExecute" function and then looping it around where it If you look at previous audit reports on MetaMask, it used to swallow exception errors but then the catch was used as an input marker in order to sustain this issue. The attempted fix for the issue was logging instead of completely swallowing however because of the ability to insert a "bunk function call" if you will, this was able to be reverted back to its original state.
We also see that the ChildDependencies via LavaMoat can still access a parent modules exports before harden is applied, that means that the function recursively transverses a module that applies Object.freeze and wraps functions so that another module cannot modify that object. The harden module being called after the module returns, and any child modules called before the module means that the child modules still have access to the parents exports before harden is called. Though MetaMask originally looked into this issue and planned to mitigate at a further date, it remained an issue to where they are still working on resolution. I have provided a fix I won’t disclose in this article for purposes of the MetaMask team to improve development options here.
In the metamask-controller.js we can also see that getAccounts the method only accepts an origin parameter, however because an attacker could manipulate the origin parameters and functions, they would be able to utilize things such as getSelectedAccount or getCurrentState. The ensured fix was that the MetaMask extension is able to call on things like getSelectedAccount in its own origin. Though applicability could be stipulated to be set in calls for strictly the MetMask application, it was unclear to developers if this would still be exploitable due to the fact that then the controller would have the ability to be in a state where other parts of the application might be modified in order to achieve malicious operation. I suggested that not only this would still be applicable, but also that issuing an entire new function to closeRequest could also call and parse specific functions and also log their behavior. This has also been taken in by the development team for patching.
As far as anything else regarding the MetaMask audit, I have seen no severities in terms of malware or exploitation, spoofing, or phishing attempts used that will affect the STARL community. The above audits have been cross referenced from previous reports along with personal auditing done by myself. I have reported all the fixes including for multiple bugs not reported within this article to the MetaMask team and have received correspondence that fixes for these things have been issued. WE GOT YOUR BACK!
POINT: COMMUNITY SAFETY
MetaMask is a proven option when it comes to being able to transact and utilize the STARL token. You may notice that even majority of the stakeholders in most tokens utilize the MetaMask project as a vault for their financial investments. Generally speaking most people will not fall under the category of victim to an attacker gaining access to their secured wallet and taking the funds from it, however in time things are changing. Human error represents the flaw in programming that, sadly, is unmatchable in every aspect.
The concept of human evolution is one of many discussions and topics, and through many stages of development in all aspects we can discern one huge class of vulnerability in this area, and that is the effect one person may bring unto another. Situationally speaking there will be attackers out there looking to offer you some sort of medium, they could include any of the following:
⚠️Promise to help you gain income
⚠️Offer or promote ways you could use services better (airdrops, etc)
⚠️Include missing benefits of additional third party extensions
⚠️Downloading or utilizing tools not directly listed on secure websites or promoted platforms
⚠️Illicit threats from information gathering to be used against a potential target to make them give in
DON'T FALL FOR THESE TRICKS GUYS & GALS!
Though situationally where these things could actually be genuine and not of an attackers nature, it is important to gauge the situation to the best of your ability and conserve There are many more methods that social engineering might into for specifics, however this would be the most daunting and common pursuit of attackers. It is important to follow the main rule....and that is DON'T BELIEVE EVERYTHING YOU HEAR JUST BECAUSE ITS SAID! (take that, fudders!)
Working with your community means helping identify ways you can help protect one another, STARL is a community project, and it is important to understand that you can do you part ensuring other holders are not falling into such matters! Some people really waste all the time in the world sitting on the internet looking to victimize somebody else for potential gain, and what you can do to counter that is lookout for some of these potential examples of what people are attempting to offer and report it to administration immediately! Gauge every situation when it comes to your well being, both in general and financially, with the upmost respect. Self respect is what will guide you to learn perseverance and will allow you to understand what you can do to help better yourself and your community. This is one of the main STARL mottos we try and pursue in hopes to do better then ever!
POINT: WHAT YOU CAN DO
Understanding that the MetaMask wallet is one of an essential service that individuals can use in order to utilize holding of the STARL token, is taken very, very seriously. You should never disclose information that might lead to your wallet being compromised. Some of these things that are included are the following:
⚠️Giving your secret phrase / private key out
⚠️Sharing your account QR sync codes with devices that you do not own
⚠️Using publicly accessible devices to manage your STARL holdings (library computers, etc)
⚠️Letting "friends/associates" help you trade buy using your wallet
⚠️Leaving devices around where others might be able to access your wallet potentially
Though it may seem like these things are such common sense, there is tons of individuals out there who are unaware of the potential problems that are around when doing these basic things! I have said it before and I will say it again, it is EXTREMELY important to not fall into these types of scams!
⚠️ Keep your seed phrase / private key / QR code private at all times to avoid compromising your wallet. Use a secure wallet. NEVER link your wallet to an unverified website
⚠️ The STARL team does not promote any type of external marketing with other coins or cross-reference. All ventures that are pursued are strictly in relation to the growth of the STARL community. Anybody offering additional collaboration with alternative tokens or currencies is not vouched by the STARL community or development team.
⚠️ In lieu of contact with us via the telegram group, always assume DMs from people claiming to be "Support" / "Customer Service" / "Admin" are scammers. Admin will never message you first (unless in special use cases). Check their username and cross reference this with the ones in the main telegram. If we are offering tech support - BE SUSPICIOUS.
⚠️ Always verify that the group you are in is an official one. be sure to update your Telegram settings to only allow DMs and group invitations from known contacts
These scams can look very convincing, make sure you double check everything before sending your money to anyone!
The STARL community will never ask for you to engage in any sharing of personal information or information that might lead you to give away ANYTHING in regards to your holding wallets!
STAY SAFE & SEE YOU ON THE MOON!