Very recently, I came across a false blog post on a popular forum with a catchy title to disconnect metamask wallet from all Dapps (Decentralized applications which includes DeFi short form for Decentralized Finance) over an invalid remark that it leads to phishing without providing any proper evidence and no any other occurrences leading people to FUD.
FUD
Fear - Fear of losing all money, privacy and fear of using metamask or any wallets.
Uncertainity - Uncertainity to use metamask or not. To that matter to invest in crypto or not.
Doubt - Doubt of losing money, their privacy and their data.
Summary of False blog post
The article claims everytime we visit a Dapp like Uniswap, we give the website access to view your cryptocurrency, not to move it or control it, but to view it. After browsing for a while, the author claims metamask itself will connect to sites you never heard of before and asks the audience to disconnect from connected websites section in metamask to maintain privacy. Further he says if you give them access, they can't move the crypto, but they can see it. And if they can see your crypto and they see your target, then they will go after you with a phishing scam, which is the worst thing that could happen when it comes to a MetaMask wallet. You can lose all of your crypto. And if you want to learn how to protect yourself from a MetaMask phishing scam, go ahead and read my previous article.
If this is true, I would have appreciated the author's concern towards people privacy and their crypto safety but this post is a copy from an youtube video which also did not explain the reasons.
My questions on missing details and explanation
Site automatic connection to metamask - A site cannot automatically gets connected with metamask wallet. This is not possible as by default privacy mode is enabled. To explain a bit further on connection to metmask, there are two states to metamask wallet.
Locked State - Where you wallet is protected by password which you set at the time of creation as a cautionary measure. In this state, you want to connect your wallet to a Dapp, the metamask will prompt for the password. Then it will initiate a transaction for connection for which you need to provide permission by clicking on accept in the pop window displayed. The password protection will last a browser session. There is simply no one can crack it if you have set a Strong password even with a super computer.
Unlocked State - Let us assume, you want to interact with a Dapp such as pancakeswap.finance, you unlock your metamask with the password you set. Now, again there are two possibilities
You explicitly needs to click on connect button to connect to the Dapp which will open a pop up window to click on connect.
The app will prompt you automactically to connect to the Dapp by opening the notification window. You need to be careful of such Dapps.
In Both cases, metamask will warn you before connecting to connect only trusted websites. After connection, the website can see the wallet address(20 bytes from public key) and wallet balance.
As a caution, I always recommend on checking what sites your are connecting to and read their privacy policy. Are the Dapps you are connecting too are secure and trusted? Verify the lock symbol on the address bar. The website can view your address and balances only as long as your connected.
Concern on sites can view your crypto balance - Everyone on the internet can view your crypto balance. The crypto balance is stored on the blockchain and there are block explorers like etherscan and bscscan which lets anyone on the internet to view the cryptobalance with the help of wallet address which is a 20 byte hexadecimal gibberish. There is no security concern attached here.
Even people can view, they cannot do anything as you hold the private key which you should not tell your private anyone.
All transactions are signed with your private key. As long as your private key is safe, there is no issue.
Remember, not your keys, not your crypto.
Possible Phishing attack and privacy compromise- Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. A possible phishing and privacy concern is mentioned in this article if we give access to Dapps which is the whole concern of this article. How this is even possible? The author did not explain how the hackers can get your data when all they can see is a crypto address which is a 20 byte hexadecimal gibberish. We can see a lot of accounts which millions of dollars worth crypto yet we cannot trace them back to their real world identity.
There is simply no way even if the Dapps can see the wallet address and balance, there is no compromise in privacy as they cannot trace you back to real world identity. As a security caution, do not share your wallet address which leads to your identity on the internet.
We cannot trace a person based on his crypto wallet address and crypto balance to real world identity but vice versa is possible. Beware of visiting fraudulent sites full of malicious ads. Do not respond to spam and phishing emails which pretends to be customer care / high profile traders. Do not click on the links sent to your mobile inbox without verifying.
The phishing attack is possible when the hacker knows your physical world identity such as email, mobile number, social media handles etc. He can then can trick you to reveal your secret passphrase(your private keys) and then can steal your funds but if the hacker knows your crypto address but not your physical identity, there is nothing he can do.
The other possibility is when you visit any malicious site, the hacker can show a pop-up which resembles the metamask and tricks you into initiating the transaction which could be easily prevented if you pay attention everytime and using ad-blockers like ublock origin filters a lot of spam content, prevents malicious scripts from loading.
Browsers such as Brave has inbuilt ad-blockers which would be block malicious and intruding ads. Always double check the domain name(if blockchain.com is real, it's phishing site will be like blockchein.com) of the Dapp, website and ensure it is not some fake version of the popular website. Same goes for mobile apps, browser extensions as well. In browser, always keep you location, camera, notifications, pop-ups to blocked.
Use privacy friendly search engines like duck-duck-go, https://search.brave.com/ which blocks trackers by default.
So, in conclusion even if you leave the metamask connected websites, nothing will happen. Only when you open the site in connected sites, the metamask will try to connect. And also, everytime, to perform any action, you need to provide consent. As a request, please don't encourage false and low value content which plays with people's emotions.
Follow the measures and have a safe crypto journey.
Thanks for reading.