"Ultimately, we've learned that our password encryption feature's security was partially undermined by browser behavior," said the team at MetaMask.
On Wednesday, MetaMask said that it uncovered a critical security vulnerability in older versions of its crypto wallet with the help of security researchers at Halborn. The security firm was awarded a bounty of $50,000 for the discovery.
For users of the MetaMask extension before version 10.11.3, three necessary conditions would have led to the potential vulnerability. They are: 1) an unencrypted hard drive, 2) having imported a secret recovery phrase into a MetaMask extension on a device that was compromised, stolen, or has unauthorized access, and 3) having used the "Show Secret Recovery Phrase" checkbox to view one's secret recovery phrase on-screen during the import process.
"We've only found that the Secret Recovery Phrase could be extracted under very specific circumstances, and we've been able to introduce new protections over the period that Halborn has waited to disclose."
Apparently, the exploit affects all browser versions of MetaMask wallet versions prior to the 10.11.3 update, and all operating systems if all three circumstances were met, but not mobile versions.
MetaMask is warning affected users to migrate their funds from their compromised wallets. However, keep in mind that all three conditions need to have been met for the vulnerability to be active on older versions of MetaMask.