How MetaMask’s Latest Security Tool Can Protect Developers From Theft

Introduction

On Saturday February 20th 2021, as many as 50 smart contract developers let hackers into their computers. These were sophisticated computer users who were using their skills to build secure smart contracts for others. These weren’t the first victims of this type of attack. By becoming more informed and with a new tool from MetaMask called @lavamoat/allow-scripts, this attack may soon be the last of its kind.

This attack was possible because NomicLabs’ HardHat, a library used for Ethereum smart contract development was hit with a targeted phishing attack. The attack was a type of phishing known as ‘typo squatting’, which relies on users mis-typing or being redirected to a namespace that looks very similar to the original intended name. The most common example of this appears with domains, where phishers purchase a lookalike domain to a genuine, usually trusted website. Often, the webpage will look and feel legitimate, but act with malicious intent. Here at MetaMask, we’re constantly at war with fake websites trying to impersonate us and siphon user credentials. It’s a well known problem, however this particular incident with HardHat caught our attention.

What Happened

The attack didn’t occur with a lookalike domain. Instead, the attacker registered a name on NPM, the primary trusted resource for open source javascript libraries. The name of the genuine package in question was @nomiclabs/hardhat-waffle. The attacker registered the simpler hardhat-waffle. This means the exploit relied upon users mistakenly typing hardhat-waffle instead of @nomiclabs/hardhat-waffle. Upon installation, the package would run a postinstall script that uploaded the contents of package.json, /etc/hosts, /etc/passwd and Kubernetes credential files (~/.kube/config) to a remote server.

This type of attack isn’t new. In 2018, a Bitcoin wallet known as Copay was the victim of malicious code in a 3rd party package that stole users’ Bitcoin & Ethereum keys. The HardHat situation differs in that it was a completely separate package, whereas the Copay incident occurred from the widely-used event-stream. In both cases, the malicious actors targeted the projects’ dependency chains. These cases directly exemplify the double edged nature of open source distributed software.

How This Could’ve Been Avoided

From design to engineering and beyond, security is the core of everything we do at MetaMask. After all, MetaMask is a tool directly involved with people’s money. For a couple of years now, we’ve been working on a tool called LavaMoat. LavaMoat is a set of tools that protects projects from malicious code in the software supply chain. For the purpose of this write up, our primary focus will be on a recent tool we’ve created under LavaMoat called @lavamoat/allow-scripts.

@lavamoat/allow-scripts is a lightweight and simple tool that enables developers to explicitly allow the execution of npm lifecycle scripts such as preinstall & postinstall for a trusted package as needed. The philosophy is that 3rd party software doesn’t automatically get special permissions to run in an unsafe environment like the command line, they must be explicitly granted. This tool has the potential to drastically mitigate attacks like the HardHat incident. All it takes is a simple install and quick configuration.

If the affected developers who installed hardhat-waffle had first configured @lavamoat/allow-scripts on their projects, they would have been immune to its install script attack.

Usage

Increase the security of your project in 3 steps:

1. Create a .yarnrc or .npmrc, with the entry: ignore-scripts true. This will prevent new modules you add from running arbitrary scripts!
2. In your project directory, run yarn add -D @lavamoat/allow-scripts . This will allow you to selectively allow any modules that absolutely require scripts to run as part of their setup.
3. Automatically generate a configuration by running the command yarn allow-scripts auto. This will automatically generate configuration in your package.json like below. You can customize it, or leave it as it is.

{
  "lavamoat": {
    "allowScripts": {
      "keccak": true,
      "core-js": false
    }
  }
}

From now on, yarn or npm install runs with lifecycle scripts disabled by default, and only permits them according to this policy.

Any scripts from newly installed packages won’t execute. You may either manually whitelist the new package in package.json, or run yarn allow-scripts auto again. Running this command will not overwrite the config, it will only add to it.

Conclusion

We’re working to maintain top notch security standards at MetaMask, which in turn benefits the entire open source javascript ecosystem. By using @lavamoat/allow-scripts to your project, you can make yourself a little safer today. Let us know how it works, we’re eager to make it the best it can be.