MetaMask, a browser extension that enables users to run Ethereum dApps, has been broadcasting individuals' ETH addresses to websites and dApps visited by the user, according to a recently submitted GitHub issue outlining the extension's default privacy settings. The apparent privacy concern allows third parties to see ETH addresses and potentially link a user's "blockchain transactions to credit card payments, thereby [their] identity, and the identity of the last person [they] transacted with."
In their GitHub post, the concerned user states that MetaMask's privacy mode is not enabled by default, meaning the browser extension sends out "message broadcasts" about every 40 seconds. These broadcasts contain the client's ETH address, which can then be relayed to any ads or trackers, such as Facebook and YouTube's like button, and Twitter's like and retweet buttons.
MetaMask unveiled its new privacy mode feature in November 2018. According to the announcement, MetaMask broadcasts users' ETH addresses in order to let providers "propose Ethereum transactions, ask for your signature, query the blockchain," and allow dApps to know your account balance. However, users can enable MetaMask's privacy mode so that websites and dApps have to ask permission to see a user's ETH address, which is supposed to help prevent malicious sites from collecting data to fingerprint, phish, or track unsuspecting users.
The GitHub poster says that enabling MetaMask's privacy mode feature "doesn't do very much at all" to prevent ETH addresses from being broadcast, and that the broadcasts themselves "serve no purpose." Commenters were quick to point out that enabling privacy mode does indeed cause the message broadcast to be read as "undefined." Further, MetaMask explained in its November 2018 announcement that privacy mode is not enabled by default because older dApps may not be compatible yet with the feature.
MetaMask's lead developer, Dan Finlay, also found his way into the GitHub post's comments, admitting that the browser extension's team has been slow to enable the privacy mode feature by default. Finlay did assert that the switch would be coming sooner, rather than later, and that once the feature is enabled by default, users would still be able to manually turn it off.
The GitHub issue's original poster continued to maintain that the browser extension has no technical reason to send out broadcast messages, calling the software team behind MetaMask "deceptive." In response to the name-calling, Finlay stated: "We definitely reject all your claims that this is some weird malicious act on our part. That would be the craziest move we could ever make on a totally open source crypto project."