A security incident occurred in the crypto market last weekend. Many users of BitBrowser reported that their assets had been stolen. Many people had lost as little as a few U.S. dollars to tens of thousands of U.S. dollars in cryptocurrencies, which attracted attention. Basically, those who use BitBrowser are those who take advantage of airdrops. With the current situation where interactive airdrops are very competitive, this direction has once again fallen into a cold winter.

Airdrops drive the rapid development of professional hair removal

Since the beginning of Uniswap, many people have paid attention to the field of airdrops and made bold layouts. In the bull market, project parties also have a strong need for publicity. Therefore, airdrops have become the focus of discussion as an incentive for early supporters. At the same time, airdrop tokens can also bring rich returns to users, even exceeding transactions and primary market investments. For this reason, many studios specializing in airdrops have emerged.

Airdrop studios usually use professional tools to interact with projects in the hope of making considerable profits. Generally speaking, they have special tools, such as fingerprint browsers, batch interaction scripts, etc., and are equipped with special personnel to write programs for batch operations. Some powerful studios will spend huge amounts of money to rent a large number of servers to carry out airdrop work.

However, after most people saw the huge returns from airdrops, more and more people began to join in. Especially after Arbitrum’s airdrop this year, a large number of studios were established and some investment institutions began to join the army of airdrops. From the number of interactions on zksync, we can see that the airdrops have basically reached a fever pitch. Even so, a large number of new wallets continue to pour in every day.

The popularity of hacking tools is also one of the main factors that attract people to this field. For example, the fingerprint browser is an important tool. The fingerprint browser is a multi-opening browser that uses the Google Chrome browser as its core. It can generate multiple different browser windows and is also equipped with synchronous operations, allowing users to operate accounts in batches, which also improves efficiency. Therefore, the fingerprint browser has also been widely used. The Bit Browser that was involved in the incident is a browser tool widely used in the hacking industry.

Review of asset theft incidents

The cause of this incident was that the user reported that the funds in his metamask wallet of Bit Browser were transferred out in batches at 10:30 am on August 26. The user used wps to store his mnemonic private key in plain text, so he suspected that there was a vulnerability in Bit Browser or wps, which led to the theft. This incident immediately sparked discussion in the Lumao circle.

Then more and more users began to report that their accounts had been stolen, and began to suspect that WPS uploaded user files privately and that WPS had vulnerabilities, which led to panic. However, as the number of people increased, some people who did not install and use WPS also suffered from theft, and the stolen users generally used BitFinger Browser, so users regarded BitBrowser as the first suspect.

At this time, in the official group of Bit Browser, the official staff did not admit the browser problem at first and still blamed WPS, because not all users of Bit Browser had their funds stolen, but only a part of the users had their funds stolen, and people were not clear about the reason for the theft for the time being.

However, as more and more user feedback came in, people discovered that most of the users whose accounts were stolen had turned on the browser plug-in data synchronization function. Turning on this function means that users upload their browser plug-in data to the cloud server of Bit Browser, and after changing the computer device to log in to the Bit Browser account, the new device will download this data from the cloud, so there is no need to import the mnemonic private key, but only need to re-enter the password to use Bit Browser.

According to BitBrowser, this function is mainly set up to facilitate users to quickly migrate plug-in data, but it is also this function that uploads the user's metamask wallet data to the server, thus leading to the occurrence of this risk event.

In the previous article, we introduced that the file that saves the mnemonic private key in the metamask wallet plug-in is in the C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn folder. If the folder is transferred to the corresponding browser plug-in path in other computers, the user only needs to enter the password to access the wallet, and hackers can completely brute-force the dictionary file to obtain assets. Therefore, once the file is stolen, the user's funds are also in danger. Bit Browser also has a similar file storage path, so this is also an important factor in this theft.

For hackers, brute force password cracking is just a matter of time. The passwords of users are cracked without them realizing that they have been stolen. Hackers obtain private keys in batches and then use scripts to transfer funds across the entire chain, draining the users' assets at one time.

How to prevent security incidents

The main factor in this incident was that the server of Bit Browser that stored user browser plug-in data was attacked by hackers, which led to the users' wallet plug-in files being obtained by hackers. Some users even used Bit Browser to save their passwords, which could also be uploaded to the cloud. In addition, the users turned on the synchronization function, which enabled the hackers to succeed. Similar functions are common in fingerprint browsers. For example, ads fingerprint browsers also have similar plug-in synchronization to the cloud function, so users have to be on guard.

Of course, some users synchronized data before and then turned it off. However, because they failed to delete the cloud data in time, their assets were stolen by hackers. This is a major security risk for our users.

As for Bit Browser, although the main responsible party for this incident is Bit Browser, the plug-in extension synchronization function is not enabled by default. Only when the user manually enables it will the incident occur. In addition, the synchronization of login information cookies is enabled. Therefore, overall, users' security awareness needs to be further enhanced.

The rapid development of the Internet has allowed cloud services to penetrate into various software. For example, Bit Browser may have designed a plug-in data synchronization function for the convenience of users. Another example is the wps mentioned earlier, which also provides users with the function of backing up files to the cloud. Although some functions can facilitate users, they also cause risks. The key point of the problem is that most of us may not know which functions are enabled behind these software to collect user information. This is also a key factor that we need to pay attention to. For example, when a user's computer is attacked by hackers, it is also possible that the local files of the Little Fox Wallet may be stolen, resulting in a leakage incident. For users, not only Bit Browser, but also the wallet party needs to enhance security measures, which is also a key focus.

As for users, security is no small matter. We cannot stop eating with the bathwater. In addition to not turning on cloud synchronization and other functions, we make the following suggestions:

1. Reducing the amount of funds in the hot wallet is an important measure to minimize the impact of possible losses.

2. Use hardware wallets to protect asset security. Of course, for a scalper, the cost of bulk hardware wallets is too high. For example, you need to customize the wallet plug-in and customize the verification and authorization measures suitable for bulk management.

3. Focus on password protection, modify the use of hardware locks or set more complex passwords to protect the security of the wallet and extend the time of brute force cracking. However, the current hardware computing power is also advancing by leaps and bounds. According to the current progress, we believe that uppercase and lowercase letters + numbers + characters exceeding 13 digits are relatively safe. It should be noted that this security is not absolute, because the computing power of hardware such as GPU is also increasing, but there is enough time to transfer the corresponding assets after a security incident occurs.

4. Regularly migrate wallet assets to new wallets to prevent hackers from "raising fish" and protect the security of assets.

5. The security of the computer environment. Use antivirus software to scan for viruses, but be careful not to let the antivirus software transfer your files to the cloud. Computers that store large amounts of funds can also use Sentinel Wallet to detect the security of the computer. Simply put, place a plaintext mnemonic or private key of a small wallet in an obvious location such as the desktop (to serve as a reminder). Once the funds in this wallet are stolen, it means that the computer has been hacked, and important wallets and files should be transferred at this time.