MetaMask – stealing ETH by exploiting clickjacking – $120,000 bug bounty
? Subscribe to BBRE Premium: https://bbre.dev/premium
? Follow me on twitter: https://bbre.dev/tw
This video an explanation of a clickjacking bug in MetaMask that allowed the attacker to steal victim’s Ethereum with a few clicks. Metamask paid $120,000 bug bounty for it.
PoC code: https://bbre.dev/mm-poc
? Get $100 in credits for Digital Ocean: https://bbre.dev/do
Timestamps:
00:00 Intro
00:47 What is MetaMask and how it works?
02:07 What are Web Accessible Resources?
04:11 Clickjacking – what is the impact of iframing a website?
06:00 Proof of Concept
07:20 How to prevent clickjacking?
Add comment