MetaMask, a popular Web3 wallet, has warned that automated Apple iCloud backups may pose a danger of hackers stealing cash from its customers.
The creator of the wallet software has advised users to turn off such data backups. The team stated in a Sunday Twitter thread that users’ funds can be stolen if they have enabled a MetaMask data backup on their Apple mobile devices. This kind of breach may occur if someone acquired unauthorized access to the sensitive app data stored in iCloud – most notably through phishing attempts.
“If you’ve enabled iCloud backup for application data, this includes your password-protected MetaMask vault. If your password is insufficiently secure and someone phishes your iCloud credentials, this can result in the theft of funds “MetaMask’s developers wrote.
The warning came only days after a MetaMask user called Domenic Iacovone claimed to have lost multiple NFTs and assets worth an estimated $655,000 in total when their iCloud account was hacked.
What seems to have occurred is that a hacker acquired access to Iacovone’s iCloud account and stole the wallet’s Keystore – a JSON-formatted file containing an encrypted version of the wallet’s private key required for transaction authorization.
Notably, Apple’s mobile devices may submit app data automatically. During the backup process, files containing private keys (which are intended to be used only locally on the device) may be sent to Apple’s cloud servers, where hostile actors may get access through a phishing attack, for example.
According to Serpent, the founder of a crypto-focused security startup called Sentinel, the offender pretended to be an employee of “Apple Inc” and sent text messages to Iacovone requesting that he change his Apple ID password. The hacker used a forged caller ID to contact Iacovone on his phone number.
The hacker acquired access to Iacovone’s private key file after getting the code. This enabled access to their MetMask wallet and the option to withdraw the impacted assets.
Iacovone said that some of his non-fungible tokens (NFTs) were stolen during the event, including three from Mutant Ape Yacht Club (#28478, #8952, and #7536) and three from the Gutter Cat Gang (#2280, #2769, and #2325). Along with these NFTs, Iacovone alleged that the hacker stole $100,000 worth of APE tokens.
According to this occurrence, neither MetaMask nor Apple seems to be at blame. The problem happened as a result of Iacovone’s lax operational security combined with a natural function on Apple devices that users may disable. Nonetheless, the MetaMask team has recommended users stop iCloud backups, detailing how to do so in a blog post.
Previously, a number of events targeted owners of high-value NFTs, either by email-based phishing or by circulating phishing URLs aimed at stealing control of crypto wallets like as MetaMask. The Block revealed only last month that 35 NFTs, including Bored Apes, were hijacked using phishing attempts propagated via malicious links on the social media network Twitter. By press time, MetaMask had not responded to a request for comment.