Browser crypto wallets can expose user identities

 

Browser crypto wallets can expose user identities

Security researchers at KU Leuven have found that many popular browser-based cryptocurrency wallets leak enough information to let websites and blockchain services track users across the web and connect wallet addresses that were meant to stay separate.

The research analyzed 85 browser extension wallets with a combined 35 million Chrome Web Store users. The researchers said the issue is not caused by a software vulnerability or hack. Instead, the wallets operate as designed, but the way they communicate with websites and blockchain infrastructure creates privacy risks.

One issue is how wallets request blockchain data. To display balances and transaction history, wallets regularly send requests containing wallet addresses to remote servers.

“At the network layer, 17 wallets leak structural linkability signals, affecting 23.0 million users (65.4%). At the web layer, 36 wallets, covering 82% of the total user base, are detectable through our new fingerprinting vector,” the researchers say. “More importantly, among these 36 wallets, 22 fail to correctly revoke permissions when users log out of a dApp and continue to expose previously granted but revoked addresses. This persistent exposure can be exploited by third-party trackers to link users across sessions and dApps.”

“Additionally,” the report continues, “23 of these wallets inject their provider interfaces into cross-origin iframes, allowing third-party trackers on non-dApp sites to obtain a user’s wallet address without any explicit user interaction. This can link a user’s browsing activity to their on-chain wealth and, in some cases, facilitate deanonymization.”

Researchers found additional privacy concerns involving wallet disconnection. Of 30 popular Web3 applications tested, only 11 properly revoked wallet access when users clicked Disconnect or Logout. Even when a revoke request was sent, 22 of the 36 wallets continued to provide the user's wallet address to the website. In many cases, the access remained active after clearing browser cookies and restarting the browser, requiring users to manually remove the site's permission from the wallet's connected sites list.

Another issue affected 23 of the same 36 wallets, which allowed authorized websites embedded inside hidden browser frames to access wallet addresses. A third-party tracking script running on multiple websites could use this behavior to retrieve a user's wallet address without additional interaction, provided the embedded Web3 application allowed framing.

“Web-side linkability arises from inconsistent permission handling, iframe exposure, and widespread third-party scripts across wallets and dApps, enabling passive address recovery across sessions and sites even when users believe they have disconnected or locked their wallet,” the researchers said. “Taken together, the results show that these leaks are not isolated bugs but systemic interactions across wallets, dApps, ecosystem standards, and embedded scripts. Because the permission model is inconsistently enforced, and because iframe exposure bypasses traditional Web2 tracking defenses, a determined tracker can link user activity across the web and even connect wallet addresses to a user’s real-world identity despite careful cookie or storage hygiene.”

Back to the list