Retrospective on the Temporary Removal of MetaMask From the Chrome Web Store

September 18, 2018 Update: as of this date, no current MetaMask phishers are present on the Chrome Web Store. Please consult our Twitter and future Medium posts for any new major incidents.

tl;dr : yesterday MetaMask was taken off of the Chrome Web Store for about 6 hours. It ended up being a removal in error on Chrome’s side. Below: our thought processes and lessons learned. Plus: kudos to our supporters.

Sometime during the morning of July 25th, 2018, one of our team members noticed that MetaMask was missing from the Chrome Web Store.

This proved to be an interesting wake-up call for a majority of our team.

What was left when one searched the term ‘MetaMask’ on the store was a few re-branded MetaMask forks and one ambiguously branded lookalike. No email from Google at the time alerted us as to why it was taken down (though later, we were notified that the email supposedly bounced, something we plan to investigate and fix tomorrow). All of our other versions — on Firefox, Opera, and Brave — were working normally.

This presented the product with a few immediate concerns:

1. Phishing — although the majority of new users will visit our landing page first or be directly linked to the extension listing (both of which would eventually lead to a dead link), the existence of lookalikes on the storefront page meant that people searching for the extension could be mislead. Additionally, we were alerted of several other phishing vectors on Telegram and on the Google Play Store that were active at that time.
2. Updates — the team was anticipating to deploy a new update — with features such as Trezor support and other various Quality of Life improvements — but the situation effectively blocked us from deploying an update to over one million installs, which accounts for the majority of our total user count.
3. New installs — although we had a few knowledge base articles detailing how to install MetaMask from source, this still isn’t an ideal user flow for common users, and explaining to them that they would have to install our extension differently would impact our accessibility.

Without an express line of contact to arbitrate the decision nor any knowledge at the time why the removal happened (though rumors did spread quickly), we prepared for the worst possible scenario. Twitter blasts, reaching out to connections, rewriting knowledge base articles, and watching our communications channels took up a large chunk of work from the day.

Thankfully, by approximately 12:40 PST the same day, we were back on the store. The reason given: the removal was done in error.

The community was 100% behind us the entire time, something we wholeheartedly appreciate. Big shout-outs to Brave & BAT, Augur, MyCrypto, IDEX, and the several other people and organizations who helped propagate the initial announcement and inform our community. You all represent a community worth developing for.

So, now that everything is said and done, what does this mean at a basic level?

1. All operations are back to normal within MetaMask. Expect us to push a new update soon in relief.
2. Chrome users should now be able to accept said update, and all links should work fine — no listings have changed.
3. The most egregious lookalike on the Chrome Web Store has been removed.
4. The team will have ongoing discussions on future red-alert scenarios and have careful protocols to handle each one. In the most optimistic case, we will share the majority of these red-alert scenarios publicly to increase transparency.

As the mango on top, this incident has allowed us to ask meaningful questions about security and continuing to earn trust and acceptance from our community.

1. Given that browser’s app stores have the ability to arbitrarily remove extensions from their listings, how does the product deal with this as an important layer in this ecosystem? What solutions allow us to be resilient to this kind of incident, intentional or not? Although several users used the opportunity to urge their fellow MetaMaskers to jump ship to another browser, this problem persists so long as the browser has the power to curate extensions at-will.
2. How do we continue to combat phishing and in turn, increase confidence that the installed product is the correct one? We recognize that this is an ongoing battle in which phishers will always find ways to circumvent, but given the window of time in which we lacked a formal presence on both Chrome, Telegram, and Android, how do we alert users that these are not legitimate products?
3. For a product that enables decentralized technology, it has centralized points of failure. Our distribution models are some of them, placing our trust in browsers, GitHub, and the people deploying in order to keep the system working. Although we at MetaMask continue to explore solutions to minimize these single points of failure, such as through multi-signature deployment and IPFS, we welcome the community to help us find answers.

Again, we thank everyone for your support through this ordeal, though short it was.