Then that's a massive flaw in their implementation. I've never used MetaMask, but I'm very surprised no one has complained about it before. 6 characters can be spoofed fairly easily.
I just checked MetaMask to see how it works. Once you paste an address, it changes to 0xXXXX...XXXX. As shown in the following image, it only shows the first 4 characters and the last 4 characters.
The receiving address is shown in the same way, even on "Confirm" window.
they dont care about security they just want everything to fit in that narrow window at the top right of the web browser i guess.
As you see in the above image, that's the same even in their Android application. They can show more characters and the address still fits in the recipient address field. But they don't do that.