Yoroi extension deactivated automatically by Chrome browser

Hi, today I’ve discovered Chrome browser has deactivated the Yoroi extension and it appears a message that tells Yoroi needs new permission to read and change data on ALL webpages.

Whaaaat?!?

Is that normal? Why does Yoroi need that?
Do you agree with that?
What should I do?

Thanks in advance.

2 Likes

Same here in my Brave browser. I hope this will be fixed soon. We have no access now, because there is no way we can give this extreme permission.

1 Like
3 Likes

Well, now I’ve read that explanation… but it’s not very soothing.

How do you feel about that? I don’t feel safe with that kind of permission for an extension.

Given that people entrust Yoroi with their funds, they could also trust them to not do shit with this permission.

On the other hand, Yoroi accessing arbitrary third-party dApp websites could open new security holes. So, it’s not so much the trust in Yoroi doing nothing bad intentionally with that permission, but the trust in them writing bullet-proof code.

Personally, using a Ledger Nano, I don’t care that much. They would still need to fool me into explicitly authorising a transaction on the external device.

1 Like

Why not just set that permission to “On Click”. That means Yoroi will get access once you click on the extension and not for all sites by default. In other words, with that setting, don’t open Yoroi while on some website but open a new empty tab and click on the Yoroi icon.

You can also explicitly set the sites you want to use the dApp Connector on.

2 Likes

You gotta be kidding me. Yoroi just became the most insecure browser plug-in on earth. Guess I’ll be checking into ADA Lite because there is no way I would ever trust any plugin where the devs somehow think it’s acceptable for users to surrender all their information on every website they browse. #UNEFFINGBELIEVABLE

1 Like

You can try also ccvault wallet, nami wallet, etc

https://mobile.twitter.com/ccvaultio

https://mobile.twitter.com/NamiWallet

Yes this has got to be the solution. Should be selected by default. Now we must first give this crazy general permission and then select “On Click” to limit that permission and make it safe again.

On Firefox, there does not seem to be the possibility to limit the permission to “on click”.

I had my mobile wallet emptied and the only thing I did that was out of the ordinary for me was install the Yoroi browser extension and attempt to restore my wallet on my desktop through the browser extension.

Luckily I didn’t entrust all my ADA to yoroi but it definitely stung to see it wiped out by a thief.

That was in November before this update, but I’m not trusting this wallet with any funds going forward.

I have a ledger but I am concerned about working with exchanges.
My ledger does not control those accounts.
For that reason I really don’t keep much there but still that seems like a point of attack if I grant those permissions.
I am looking for another wallet until this is resolved.
Can someone please recommend a light wallet that works with the ledger and facilitates deligation.
Much thanks.

If we want Yoroi to interact with dApps I’m not sure there’s a solution other than giving it access to a particular site. As mentioned Metamask, Nami all have the same Chrome extension setting, it just seems to be set to “On Click” by default, and not All Websites (someone can confirm).

1 Like

I had the same issue. I just activated it again and for now it looks fine.

I’m new to this …would that be worth staking in Yoroi? If so…should I stake all of them or only a certain amount? Can you stake on different stake pools using Yoroi?

You are not staking in a specific wallet app (Yoroi), but you are staking the ADA in your wallet to a stake pool, which can be done from a lot of different wallet apps that all control the same wallet.

The access to the wallet are your seed words (keep them safe and secure) or your hardware wallet. The contents of the wallet are on the blockchain (transactions, staking, balance, …).

On Cardano, you always stake whole wallets/accounts. That does not mean that the Ada are sent away. (If someone tells you to send them away to stake, don’t do it!) They always stay in your wallet and you can send and receive totally freely. Every five days a snapshot is taken and ten days later you get rewards based on the balance during that snapshot.

Not with Yoroi. ccvault.io, adalite.io and Nami – other wallet apps – have the concept of accounts. There, you can divide your wallet (same seed phrase/hardware wallet) into multiple accounts that stake to different pools, but then other wallet apps – Yoroi, Daedalus – will only see the first of these accounts.

Other possibility is always to create more than one wallet. If that’s profitable depends on the amount of Ada. Below several thousand Ada, I would not want the hassle of staking to more than one pool.

Thanks. I thought it was a fake version of Yoroi.

The possible sollution for Firefox users is to turn it down simply. I don’t know how it’ll affect staking but I think it’s the only option.

Alternativly, you can disable yoroi in private mode and use it.

Anyway, it’s all time high to switch do another wallet.

Just noticed that ccvault asks for the same permissions when installing the Chrome plugin.
So at this point there doesn’t seem to be enough reason to switch wallet applications.

As said above: I (mostly) trust them to manage my ADA, so there is not much reason to think that they do something bad with this permission.

There could be a risk that other websites use this to do something bad. So, it’s probably best to set it to “on click”.

But that might also be a reason to switch to ccvault, although it uses the same permission. If the bad guys want to use this they will target Yoroi first – much larger user base. It’s a bit security by obscurity, but can be a reason.

Also: It’s just a much nicer wallet app. :grinning: