[Bug]: Security: Metamask incorrectly converts funds into fiat on third-party networks to USD

[kladkogex]

Describe the bug

We started seeing it a couple of months ago. Now it is happening all the time.

When you add a network to Metamask, metamask will interpret its native currency as mainnet ETH and start showing currency conversion into fiat.

I think it can be a pretty security vulnerability, since uses may be tricked into believing that hey have real fiat currency, where they really dont.

Steps to reproduce

1. Create a custom blockchain with a custom chainID.

2. Create an account on this blockchain with non-zero native native ETH value

3. Import the account into Metamask. Metamask will start intertpreting

Error messages or log output

No response

Version

MetaMask Version 10.23.2

Build type

None

Browser

Chrome

Operating system

Ubuntu Linux 18/20/22

Hardware wallet

No response

Additional context

Happy to help debugging it.

[kladkogex]

Attaching a wireshark trace to the node

OPTIONS / HTTP/1.1
Host: 54.148.127.233:10323
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Origin: moz-extension://f2926671-eba8-485e-8d73-7f9fa8316f5a
Connection: keep-alive

HTTP/1.1 200 OK
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: *
Vary: Origin, Access-Control-request-Method, Access-Control-request-Headers
Date: Mon, 16 Jan 2023 15:29:09 GMT
Connection: keep-alive
Content-Length: 0

POST / HTTP/1.1
Host: 54.148.127.233:10323
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 73
Origin: moz-extension://f2926671-eba8-485e-8d73-7f9fa8316f5a
Connection: keep-alive

{"id":"1673882952330","jsonrpc":"2.0","method":"eth_chainId","params":[]}HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Mon, 16 Jan 2023 15:29:12 GMT
Connection: keep-alive
Content-Length: 60

{"id":"1673882952330","jsonrpc":"2.0","result":"0x1654f244"}POST / HTTP/1.1
Host: 54.148.127.233:10323
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 73
Origin: moz-extension://f2926671-eba8-485e-8d73-7f9fa8316f5a
Connection: keep-alive

{"id":"1673882952642","jsonrpc":"2.0","method":"eth_chainId","params":[]}HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Mon, 16 Jan 2023 15:29:12 GMT
Connection: keep-alive
Content-Length: 60

{"id":"1673882952642","jsonrpc":"2.0","result":"0x1654f244"}OPTIONS / HTTP/1.1
Host: 54.148.127.233:10323
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Origin: moz-extension://f2926671-eba8-485e-8d73-7f9fa8316f5a
Connection: keep-alive

HTTP/1.1 200 OK
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: *
Vary: Origin, Access-Control-request-Method, Access-Control-request-Headers
Date: Mon, 16 Jan 2023 15:29:27 GMT
Connection: keep-alive
Content-Length: 0

POST / HTTP/1.1
Host: 54.148.127.233:10323
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 73
Origin: moz-extension://f2926671-eba8-485e-8d73-7f9fa8316f5a
Connection: keep-alive

{"id":"1673882968624","jsonrpc":"2.0","method":"eth_chainId","params":[]}HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Mon, 16 Jan 2023 15:29:28 GMT
Connection: keep-alive
Content-Length: 60

{"id":"1673882968624","jsonrpc":"2.0","result":"0x1654f244"}POST / HTTP/1.1
Host: 54.148.127.233:10323
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 73
Origin: moz-extension://f2926671-eba8-485e-8d73-7f9fa8316f5a
Connection: keep-alive

{"id":"1673882969138","jsonrpc":"2.0","method":"eth_chainId","params":[]}HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Mon, 16 Jan 2023 15:29:29 GMT
Connection: keep-alive
Content-Length: 60

{"id":"1673882969138","jsonrpc":"2.0","result":"0x1654f244"}POST / HTTP/1.1
Host: 54.148.127.233:10323
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 78
Origin: moz-extension://f2926671-eba8-485e-8d73-7f9fa8316f5a
Connection: keep-alive

{"id":2634756101382792,"jsonrpc":"2.0","method":"eth_blockNumber","params":[]}HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Mon, 16 Jan 2023 15:29:30 GMT
Connection: keep-alive
Content-Length: 58

{"id":2634756101382792,"jsonrpc":"2.0","result":"0x3cb91"}POST / HTTP/1.1
Host: 54.148.127.233:10323
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 131
Origin: moz-extension://f2926671-eba8-485e-8d73-7f9fa8316f5a
Connection: keep-alive

{"id":4790094869090908,"jsonrpc":"2.0","method":"eth_getBalance","params":["0x2c7f203b7dcf7ab447b591c939418c682db6056d","0x3cb91"]}HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Mon, 16 Jan 2023 15:29:30 GMT
Connection: keep-alive
Content-Length: 54

{"id":4790094869090908,"jsonrpc":"2.0","result":"0x0"}POST / HTTP/1.1
Host: 54.148.127.233:10323
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 131
Origin: moz-extension://f2926671-eba8-485e-8d73-7f9fa8316f5a
Connection: keep-alive

{"id":4790094869090909,"jsonrpc":"2.0","method":"eth_getBalance","params":["0xb04a7f2cd74eb624df4bd8bed8f7034b5aed89c0","0x3cb91"]}HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Mon, 16 Jan 2023 15:29:30 GMT
Connection: keep-alive
Content-Length: 78

{"id":4790094869090909,"jsonrpc":"2.0","result":"0xc9ed9e4fc914bb00699d50e24"}