Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks
KU Leuven researchers identified critical privacy flaws in 85 popular crypto wallet browser extensions affecting approximately 35 million users. Wallets frequently leak user data by bundling multiple addresses in single requests or sending rapid sequential requests, allowing servers to link distinct identities. Disconnecting from a Web3 application rarely revokes access, leaving stale permissions that enable persistent cross-site tracking via unique wallet addresses. A significant cross-site tra
Analysis
TL;DR
- KU Leuven researchers identified critical privacy flaws in 85 popular crypto wallet browser extensions affecting approximately 35 million users.
- Wallets frequently leak user data by bundling multiple addresses in single requests or sending rapid sequential requests, allowing servers to link distinct identities.
- Disconnecting from a Web3 application rarely revokes access, leaving stale permissions that enable persistent cross-site tracking via unique wallet addresses.
- A significant cross-site tracking vulnerability allows third-party trackers to extract wallet addresses from previously connected sites via invisible frames, linking pseudonymous identities to real-world data.
- Most wallet vendors dismissed these issues as non-bugs or known limitations, with only a few providers implementing fixes despite the severity of the privacy risks.
Why It Matters
This study reveals fundamental architectural failures in how crypto wallet extensions interact with the web, undermining the core promise of pseudonymity in blockchain technology. For AI and security practitioners, it highlights the dangers of trusting default behaviors in third-party browser extensions and the necessity of rigorous privacy-preserving design patterns in decentralized applications. The findings serve as a cautionary tale for the broader Web3 ecosystem, demonstrating that convenience features often come at the cost of severe user surveillance capabilities.
Technical Details
- Address Linking Vulnerabilities: 17 out of 85 tested wallets exposed connections between user addresses. Thirteen wallets bundled multiple addresses in a single HTTP request, while four others fired separate requests within milliseconds, providing temporal correlation signals for server-side profiling.
- Persistent Session State: 36 wallets failed to properly handle logout/disconnect commands. Even when sites sent revoke commands, 22 wallets retained access to the user's address, surviving browser restarts and cookie clears, effectively turning the wallet address into a permanent fingerprint.
- Cross-Site Frame Injection: 23 of the 36 vulnerable wallets leaked addresses when accessed via invisible iframes from third-party trackers. This allowed malicious scripts on unrelated websites to query previously authorized wallet connections without user interaction, bridging the gap between anonymous crypto activity and real-world identities.
- Vendor Response Analysis: Upon disclosure, major vendors like MetaMask classified the frame injection issue as a "known issue" due to backward compatibility concerns with existing dApps. Other vendors like Rabby and OKX dismissed the severity, with Rabby claiming the attack vector was "virtually impossible" and OKX labeling it informational since no funds were stolen.
Industry Insight
- Shift from Security to Privacy Engineering: The industry must move beyond traditional security metrics (like fund theft prevention) to prioritize privacy-by-design. Wallet extensions should implement strict isolation policies, ensuring that disconnecting a site immediately purges all local state and prevents cross-origin data leakage.
- Standardization of Revocation Protocols: There is an urgent need for standardized, enforced protocols for session revocation in Web3 interactions. Current ad-hoc implementations allow for persistent tracking; industry bodies should mandate that disconnect commands result in immediate, verifiable termination of all access rights.
- User Education and Tooling: Given the widespread vendor reluctance to fix these issues, developers should create user-facing tools that automatically audit and revoke stale permissions. Users must be educated that "disconnecting" in a UI does not equate to cryptographic revocation, necessitating manual intervention or the use of dedicated privacy-focused browser profiles.
Disclaimer: The above content is generated by AI and is for reference only.