Apple Saves Your Seed Phrase on iCloud, MetaMask Warns Users

As financial affairs migrate to the digital arena, so do scammers. Unfortunately, some doors to online fraudsters are left wide open. One such doorway was publicly spotlighted on Sunday after security experts realized Apple users are particularly vulnerable.

Apple Stores Crypto Seed Phrase On its Cloud Servers

To cut a long story short, if you are an Apple user, you may want to turn off your default automatic backup of app data. That’s because the MetaMask wallet also counts as an app, in addition to serving as an access point to your crypto funds.

Despite the fact that MetaMask is a non-custodial wallet giving the users ownership of their private keys, this is apparently nullified by Apple’s iCloud backup feature.  It is then not a matter of hacking the wallet, but phishing for iCloud credentials to access the MetaMask wallet’s password.

Scammers have a variety of techniques to get Apple ID passwords, including having them reset by pretending they are an “Apple Inc” representative responding to user safety. That’s precisely what happened with user @revive_dom who responded to scammer text messages asking for him to reset his Apple ID password.

Of course, in order to do that one would first have to give a 6-digit verification code (2FA) to prove account ownership. This was all it took for the scammer to take off with $650,000 worth in crypto/NFT funds from the MetaMask wallet.

iCloud Creates Additional Vulnerability for Crypto Users

In a quest to make the user experience more convenient, prevent piracy, and provide seamless updating, software companies have switched to cloud storage/computing in the last decade. Case in point, from a single-purchase software, Adobe products became subscription-based with Adobe Creative Cloud. This set in stone permanent dependency on online connectivity as SaaS (software-as-a-service).

Such dependency opened up a new cybercriminal highway. The same is true for Apple. Although the company is known for having an iron grip on its ecosystem, storing users’ seed phrases on iCloud by default is an exceptionally bad idea. Recovery or seed phrase, commonly consisting of 12 words, is the key to opening a crypto wallet lock.

Technically, even if one has all their devices destroyed in a fire, if a user remembers the seed phrase, the funds can be restored by recovering the wallet. That’s because a crypto wallet is not a wallet in the sense of containing files, but in the sense of providing access to a particular blockchain.

Conversely, if the password for Apple ID is reset by the scammer via the 2FA (two-factor-authorization) code, they gain access to MetaMask’s data as well. Interestingly, it appears this vulnerable convenience happened as a result of MetaMask integrating Apple Pay at the end of March, via Wyre linked to Visa/Mastercard.

Join our Telegram group and never miss a breaking digital asset story.

How to Turn Off iCloud Backups?

According to 451 Research, most users who buy crypto assets never move them outside the exchange where they were initially bought. This means they don’t own private keys to their funds, leaving it in the hands of platforms themselves. This is a very bad idea since such platforms represent a single point of failure (SPoF).

Such convenience can go downhill pretty fast. This was exemplified by the Canadian government freezing both crypto exchange addresses and bank accounts, not to mention the Mt.Gox multi-billion dollar hack. Apple’s iCloud makes this even worse by storing a seed phrase for a non-custodial wallet such as MetaMask.

To prevent this vulnerability, go to your iPhone’s settings to disable iCloud backups for MetaMask.

Settings > Profile > iCloud > Manage Storage > Backups

Or better yet, turn off iCloud backup feature entirely.

Settings > Apple ID/iCloud > iCloud > iCloud Backup

It is also worth thinking about opting for cold storage instead of cloud storage. The former means placing your crypto assets into offline storage with optional and manual online connectivity. Trezor and Ledger hardware wallets offer this service.

While it would take a few more steps to access crypto funds, that is the difference between having $650,000 one day, and not having any funds the next day. At the end of the line, scammers will always be more innovative than an average user, so it pays off to create extra security layers.

Do you take advantage of password managers or cold storage wallets? Let us know in the comments below.