total Failure of password protection while extracting seed phrase! increases attack surface area for scammers

@bug_vs_me discovered that the MetaMask browser extension UI could access a user’s seed phrase without requiring password confirmation. This behavior violated expected security boundaries between the UI and background process, where the password prompt serves as a safeguard. Although the issue was not directly exploitable, it posed significant risk if MetaMask were ever to become vulnerable to cross-site scripting. Given the potential severity and the importance of hardening seed phrase protections, the MetaMask team awarded @bug_vs_me a one-time bonus of $3,500 in recognition of this finding. The issue was resolved in MetaMask Extension version 11.7.1, which now enforces password confirmation before any UI code can access the wallet’s seed phrase.