Google Yanked MetaMask From the Chrome Store, Left a Phishing Scam Up

It was "an interesting wake-up call."

That was how Kevin Serrano, an employee at ethereum startup and incubator ConsenSys, described the revelation that MetaMask had been removed from Google Chrome's web store in a recently published blog post.

MetaMask, a Consensys "spoke," is an ethereum wallet that also serves as a bridge between web browsers and the ethereum blockchain. A little after 10:00 a.m. EDT Wednesday morning, the MetaMask team announced on Twitter that the extension had been removed from the Chrome store.

The team received no explanation for Google's action, according to Serrano, or even notification that it had happened – though he added that it's possible the email bounced. The extension was restored to the web store around five hours later. According to Serrano, Google explained that delisting MetaMask had been an "error."

And in this way, Serrano said it became clear:

"For a product that enables decentralized technology, [MetaMask] has centralized points of failure."

It's an issue blockchain entrepreneurs have grappled with since the industry first started testing its ideas.

One of the fundamental merits of blockchains and the decentralized applications built on top of them is that no single party can take down or censor them. Yet, this theoretical quality is frequently rendered moot where blockchain networks meet the legacy web or financial system.

Centralized exchanges, where fiat currency is converted into cryptocurrencies, are the most commonly cited example of where censorship-resistance and decentralization fail in practice.

But this incident has highlighted another such choke point: app stores.

Making the app available to users, Serrano continued, requires "placing our trust in browsers, GitHub and the people deploying in order to keep the system working."

Phishing frenzy

It's not only the trust required to keep the extension open to the most users (sufficiently tech-savvy users could have still downloaded it on Chrome), but also the fact that the action opened up opportunities for scammers – an endemic problem in the cryptocurrency space.

With MetaMask proper removed, Serrano wrote, "What was left when one searched the term 'MetaMask' on the store was a few re-branded MetaMask forks and one ambiguously branded lookalike."

Indeed, the situation presented the risk of phishing, in which attackers trick would-be users into downloading fake files that contain malware.

At one point Augur, another ethereum project, tweeted a warning not to download an extension called "MetaMask by Kupi.net," which was available in the Chrome store (it has since been removed). The app "is a fake, phishing app," the Augur team wrote, attaching an image:

Serrano told CoinDesk in an email that attempts to steal from users were also present on Telegram, a messaging platform popular with cryptocurrency enthusiasts, where attackers were "posing as an alternative support desk." It appears that some users were affected by this scam, he said, as well as an unrelated one on the Google Play Store, which lists apps for Google's Android operating system.

A Google spokesperson declined to comment on these phishing attempts.

While MetaMask continued to work on other browsers – Brave, Opera and Firefox – and those who had already downloaded the Chrome version were still able to use it, the team is looking into more decentralized alternatives such as IPFS, Serrano said.

The team also published a guide to installing the extension manually.

Fish hooks image via Shutterstock