Author | 23pds@SlowMist Security Team

background

On June 3, 2024, Twitter user @CryptoNakamao wrote about how he lost $1 million in theft after downloading the malicious Chrome extension Aggr, which aroused the attention of the majority of crypto community users to the risks of extensions and the security of their own crypto assets. On May 31, the SlowMist Security Team published an article titled "Wolf in Sheep's Clothing | Analysis of Fake Chrome Extension Theft", which output a detailed analysis of the malicious Aggr extension's malicious methods. Given that the majority of users lack background knowledge about browser extensions, SlowMist Chief Information Security Officer 23pds explains the basics and potential risks of extensions through six questions and six answers in this article, and provides suggestions for dealing with extension risks, hoping to help individual users and trading platforms improve their ability to protect account and asset security.

(https://x.com/im23pds/status/1797528115897626708)

FAQ

1. What are Chrome extensions?

Chrome extensions are plug-ins designed for Google Chrome that extend the functionality and behavior of the browser. They can customize the user's browsing experience, add new features or content, or interact with websites. Chrome extensions are usually built with HTML, CSS, JavaScript, and other web technologies.

The structure of a Chrome extension usually consists of the following parts:

  • manifest.json: The configuration file of the extension, which defines the basic information of the extension (such as name, version, permissions, etc.).

  • Background Scripts: run in the background of the browser to handle events and long-term tasks.

  • Content Scripts: Run in the context of a web page and can interact directly with the web page.

  • User Interface (UI): such as browser toolbar buttons, pop-up windows, options pages, etc.

2. What does the Chrome extension do?

  • Ad blocking: Extensions can block and prevent ads on web pages, thereby improving page loading speed and user experience. For example, AdBlock and uBlock Origin.

  • Privacy and security: Some extensions can enhance the user's privacy and security, such as preventing tracking, encrypting communications, managing passwords, etc. For example, Privacy Badger and LastPass.

  • Productivity tools: Extensions can help users improve productivity, such as managing tasks, taking notes, time tracking, etc. For example, Todoist and Evernote Web Clipper.

  • Developer Tools: Provide debugging and development tools for web developers, such as viewing web page structure, debugging code, analyzing network requests, etc. For example, React Developer Tools and Postman.

  • Social Media and Communication: Extensions can integrate social media and communication tools to facilitate users to handle social media notifications, messages, etc. while browsing the web. For example, Grammarly and Facebook Messenger.

  • Web page customization: Users can customize the appearance and behavior of web pages through extensions, such as changing the theme, rearranging page elements, adding additional features, etc. For example, Stylish and Tampermonkey.

  • Automated tasks: Extensions can help users automate repetitive tasks, such as automatically filling out forms, batch downloading files, etc. For example, iMacros and DownThemAll.

  • Language translation: Some extensions can translate web page content in real time to help users understand web pages in different languages, such as Google Translate.

  • Cryptocurrency assistance: Extensions can help users make cryptocurrency transactions more convenient, such as MetaMask.

The flexibility and diversity of Chrome extensions allow them to be applied to almost any browsing scenario, helping users complete various tasks more efficiently.

3. What permissions does the Chrome extension have after installation?

After installation, Chrome extensions may request a series of permissions in order to perform specific functions. These permissions are declared in the extension's manifest.json file and prompted for user confirmation during installation. Common permissions include:

  • : Allows the extension to access the content of all websites. This is a broad permission that allows the extension to read and modify data for all websites.

  • tabs: Allows the extension to access the browser's tab information, including obtaining currently open tabs, creating and closing tabs, etc.

  • activeTab: Allows the extension to temporarily access the currently active tab, typically used to perform a specific action when the user clicks the extension button.

  • storage: Allows the extension to use Chrome's storage API to store and retrieve data. This can be used to save extension settings, user data, etc.

  • Cookies: Allow the extension to access and modify cookies in your browser.

  • webRequest and webRequestBlocking: Allow extensions to intercept and modify network requests. These permissions are commonly used by ad blocking and privacy protection extensions.

  • bookmarks: Allows the extension to access and modify the browser's bookmarks.

  • history: Allows the extension to access and modify the browser's history.

  • notifications: Allows the extension to show desktop notifications.

  • contextMenus: Allows the extension to add custom menu items to the browser's context menu (right-click menu).

  • geolocation: Allows the extension to access the user's geolocation information.

  • clipboardRead and clipboardWrite: Allows the extension to read and write clipboard contents.

  • downloads: Allows the extension to manage downloads, including starting, pausing, and canceling downloads.

  • management: Allows the extension to manage other browser extensions and applications.

  • background: Allows the extension to run long tasks in the background.

  • notifications: Allows the extension to display system notifications.

  • webNavigation: Allows extensions to monitor and modify the browser's navigation behavior.

These permissions allow Chrome extensions to perform many powerful and diverse functions, but also mean that they have the potential to access sensitive user data such as cookies, authentication information, etc.

4. Why can malicious Chrome extensions steal user permissions?

Malicious Chrome extensions can use the requested permissions to steal the user's permissions and authentication information because these extensions can directly access and manipulate the user's browser environment and data. The specific reasons and methods are as follows:

  • Broad permission access: Malicious extensions usually request a large number of permissions, such as access to all websites (), read and modify browser tabs (tabs), access to browser storage (storage), etc. These permissions allow malicious extensions to have extensive access to users' browsing activities and data.

  • Manipulating network requests: Malicious extensions can use the webRequest and webRequestBlocking permissions to intercept and modify network requests, thereby stealing user authentication information and sensitive data. For example, they can intercept form data when a user logs into a website and obtain usernames and passwords.

  • Read and write page content: Through content scripts, malicious extensions can embed code into web pages to read and modify page content. This means they can steal any data entered by the user on the web page, such as form information, search queries, etc.

  • Access to browser storage: Malicious extensions can use the storage permission to access and store the user's local data, including browser storage (such as LocalStorage and IndexedDB) that may contain sensitive information.

  • Clipboard manipulation: With the clipboardRead and clipboardWrite permissions, malicious extensions can read and write the user's clipboard contents, thereby stealing or tampering with the information copied and pasted by the user.

  • Disguised as legitimate websites: Malicious extensions can disguise themselves as legitimate websites by modifying the browser content or redirecting the web pages visited by users, thereby tricking users into entering sensitive information.

  • Long-term background operation: Malicious extensions with background permissions can continue to run in the background, even when the user is not actively using them. This allows them to monitor the user's activities for a long time and collect a large amount of data.

  • Manipulating downloads: Using the downloads permission, a malicious extension can download and execute malicious files, further compromising the user's system security.

5. Why did the victims of this malicious extension suffer from stolen permissions and financial losses?

Because the malicious Aggr extension just got the background information we talked about above, the following is a snippet of the permissions content of the malicious plugin’s manifest.json file:

  • cookies

  • tabs

  • storage

6. What can a malicious Chrome extension do after stealing a user’s cookies?

  • Accessing accounts: Malicious extensions can use stolen cookies to simulate users logging into trading platform accounts, thereby accessing users' account information, including balances, transaction history, etc.

  • Conduct transactions: Stolen cookies could allow a malicious extension to conduct transactions without the user's consent, buying or selling cryptocurrencies or even transferring assets to other accounts.

  • Withdrawing funds: If the cookies contain session information and authentication tokens, the malicious extension may be able to bypass two-factor authentication (2FA) and directly initiate a fund withdrawal, transferring the user's cryptocurrency to a wallet controlled by the attacker.

  • Access to sensitive information: Malicious extensions can access and collect sensitive information from users in trading platform accounts, such as authentication documents, addresses, etc., which may be used for further identity theft or fraud activities.

  • Modify account settings: Malicious extensions can change the user's account settings, such as the bound email address, mobile phone number, etc., to further control the account and steal more information.

  • Impersonating users to conduct social engineering attacks: Using user accounts to conduct social engineering attacks, such as sending fraudulent messages to users' contacts to trick them into performing unsafe operations or providing more sensitive information.

Responses

Seeing this, many users may wonder, what should we do? Just disconnect from the Internet and stop playing? Use a separate computer to operate? Don't log in to the platform via the web? There are many general statements on the Internet, but in fact we can learn how to reasonably prevent such risks:

Countermeasures for individual users:

  • Enhance personal safety awareness: The first preventive suggestion is to enhance personal safety awareness and always maintain a skeptical attitude.

  • Only install extensions from trusted sources: Install extensions from the Chrome Web Store or other trusted sources, and read user reviews and permission requests to avoid granting unnecessary access to extensions.

  • Use a safe browser environment: avoid installing extensions from unknown sources, and regularly review and delete unnecessary extensions, install different browsers, and isolate plug-in browsers and transaction funds browsers.

  • Check account activities regularly: Check account login activities and transaction records regularly, and take immediate action if any suspicious behavior is found.

  • Remember to log out: Remember to log out after using the web operating platform. For convenience, many people do not click to log out after logging into the platform and completing the operation. This habit poses a security risk.

  • Use a hardware wallet: For large amounts of assets, use a hardware wallet for storage to improve security.

  • Browser settings and security tools: Use secure browser settings and extensions (such as ad blockers, privacy protection tools) to reduce the risk of malicious extensions.

  • Use security software: Install and use security software to detect and prevent malicious extensions and other malware from doing harm.

Finally, here are some risk control suggestions for the platform. Through these measures, trading platforms can reduce the security risks brought to users by malicious Chrome extensions:

Enforce the use of two-factor authentication (2FA):

- Enable 2FA globally: Require all users to enable two-factor authentication (2FA) when logging in and performing important operations (such as trading, placing orders, and withdrawing funds), ensuring that even if a user's cookies are stolen, attackers cannot easily access their accounts.

- Multiple verification methods: Support multiple two-factor verification methods, such as SMS, email, Google Authenticator, and hardware tokens.

Session management and security:

- Device Management: Provides users with the ability to view and manage logged-in devices, allowing users to log out of sessions on unknown devices at any time.

- Session timeout: Implement a session timeout policy to automatically log out sessions that have been inactive for a long time, reducing the risk of session theft.

- IP address and geolocation monitoring: Detect and alert users to login attempts from unusual IP addresses or geolocations, and block them if necessary.

Strengthen account security settings:

- Security Notifications: Instantly send notifications to users about important operations such as account logins, password changes, fund withdrawals, etc. Users can be alerted of abnormal activities via email or SMS.

- Account freezing function: Provides users with the option to quickly freeze their accounts in an emergency to limit the scope of damage.

Strengthen monitoring and risk control systems:

- Abnormal behavior detection: Use machine learning and big data analysis to monitor user behavior, identify abnormal transaction patterns and account activities, and conduct risk control intervention in a timely manner.

- Risk control warning: Issue warnings and restrictions on suspicious behaviors such as frequent changes to account information and frequent failed login attempts.

Provide security education and tools to users:

- Security education: Disseminate security knowledge to users through official social accounts, emails, platform notifications and other channels, reminding users to pay attention to the risks of browser extensions and how to protect their accounts.

- Security Tools: Provide official browser plug-ins or extensions to help users enhance account security, detect and alert users to possible security threats.

Conclusion

Frankly speaking, from a technical point of view, many times, taking all the risk control measures mentioned above may not be the best way. Security and business need to be balanced. If security is too important, the user experience will be bad. For example, when placing an order, secondary authentication is required. In order to place an order quickly, many users simply turn it off! The result is that it is convenient for both you and the hackers, because once the cookies are stolen, the currency cannot be withdrawn, and the hackers can play against each other, causing damage to user assets. Therefore, different risk control methods are adopted for different platforms and users. As for the balance point between security and business, different platforms have different considerations. It is hoped that the platform can protect the security of user accounts and assets while considering the user experience.