Title: Understanding Chrome Extensions: A Comprehensive Guide
Introduction:
On June 3, 2024, a Twitter user named @CryptoNakamao shared their experience of losing $1 million due to a malicious Chrome extension called Aggr. This incident raised concerns among the cryptocurrency community about the risks associated with extensions and the security of their assets. In response, the SlowMist Security Team published an analysis of the deceptive Chrome extension, shedding light on its malicious activities. To help users and platforms enhance the protection of their accounts and assets, SlowMist’s Chief Information Security Officer, 23pds, provides a comprehensive explanation of Chrome extensions, their potential risks, and recommendations to mitigate extension-related threats.
Question and Answer Section:
1. What is a Chrome extension?
A Chrome extension is a plugin designed for Google Chrome that enhances the browser’s functionality and behavior. These extensions can customize the user’s browsing experience by adding new features, content, or interactions with websites. Typically, Chrome extensions are built using HTML, CSS, JavaScript, and other web technologies.
The structure of a Chrome extension includes:
– manifest.json: The extension’s configuration file, which defines its basic information such as name, version, and permissions.
– Background Scripts: Scripts that run in the background of the browser, handling events and long-term tasks.
– Content Scripts: Scripts that run in the context of web pages, allowing direct interaction with the page.
– User Interface (UI): Elements such as browser toolbar buttons, pop-up windows, and option pages.
2. What are the functions of Chrome extensions?
Chrome extensions serve various purposes, including:
– Ad-blocking: Extensions can block and prevent ads on web pages, improving browsing speed and user experience (e.g., AdBlock, uBlock Origin).
– Privacy and security: Some extensions enhance user privacy and security by preventing tracking, encrypting communications, and managing passwords (e.g., Privacy Badger, LastPass).
– Productivity tools: Extensions help users improve productivity by managing tasks, taking notes, and tracking time (e.g., Todoist, Evernote Web Clipper).
– Developer tools: Extensions provide debugging and development tools for web developers, such as inspecting page structures, debugging code, and analyzing network requests (e.g., React Developer Tools, Postman).
– Social media and communication: Extensions integrate social media and communication tools, making it convenient for users to handle social media notifications and messages while browsing (e.g., Grammarly, Facebook Messenger).
– Web customization: Users can customize the appearance and behavior of web pages using extensions, such as changing themes, rearranging page elements, and adding additional functionality (e.g., Stylish, Tampermonkey).
– Automation tasks: Extensions help automate repetitive tasks, such as automatically filling out forms or batch downloading files (e.g., iMacros, DownThemAll).
– Language translation: Some extensions provide real-time translation of web page content, helping users understand web pages in different languages (e.g., Google Translate).
– Cryptocurrency assistance: Extensions assist users in cryptocurrency trading, such as MetaMask.
The flexibility and diversity of Chrome extensions make them applicable to various browsing scenarios, enabling users to efficiently complete tasks.
3. What permissions do Chrome extensions have after installation?
After installation, Chrome extensions may request various permissions to perform specific functions. These permissions are declared in the extension’s manifest.json file and prompt users for confirmation during installation. Common permissions include:
– All websites: Allows the extension to access the content of all websites, granting it broad access to read and modify data on any website.
– Tabs: Allows the extension to access information about browser tabs, including accessing currently open tabs, creating new tabs, and closing tabs.
– ActiveTab: Allows the extension temporary access to the currently active tab, usually used to perform specific actions when the user clicks the extension button.
– Storage: Allows the extension to use Chrome’s storage API for storing and retrieving data, which can be used to save extension settings and user data.
– Cookies: Allows the extension to access and modify cookies in the browser.
– WebRequest and WebRequestBlocking: Allows the extension to intercept and modify network requests. These permissions are commonly used by ad-blocking and privacy protection extensions.
– Bookmarks: Allows the extension to access and modify browser bookmarks.
– History: Allows the extension to access and modify browser history.
– Notifications: Allows the extension to display desktop notifications.
– ContextMenus: Allows the extension to add custom menu items to the browser’s context menu (right-click menu).
– Geolocation: Allows the extension to access the user’s geographical location information.
– ClipboardRead and ClipboardWrite: Allows the extension to read and write clipboard content.
– Downloads: Allows the extension to manage downloads, including starting, pausing, and canceling downloads.
– Management: Allows the extension to manage other extensions and applications in the browser.
– Background: Allows the extension to run long-term tasks in the background.
– WebNavigation: Allows the extension to monitor and modify browser navigation behavior.
These permissions enable Chrome extensions to perform various powerful and diverse functions but also imply that they can potentially access sensitive user data, such as cookies and authentication information.
4. How can malicious Chrome extensions steal user permissions?
Malicious Chrome extensions can exploit the requested permissions to steal user permissions and authentication information because these extensions have direct access to and control over the user’s browser environment and data. The specific reasons and methods are as follows:
Wide-ranging permission access: Malicious extensions often request a large number of permissions, such as accessing all websites, reading and modifying browser tabs, and accessing browser storage. These permissions allow malicious extensions to extensively access user browsing activities and data.
Manipulating network requests: Malicious extensions can use webRequest and webRequestBlocking permissions to intercept and modify network requests, thereby stealing user authentication information and sensitive data. For example, they can intercept form data when a user logs into a website and retrieve their username and password.
Reading and writing page content: Through content scripts, malicious extensions can inject code into web pages, enabling them to read and modify page content. This means they can steal any data users input on web pages, such as form information and search queries.
Accessing browser storage: Malicious extensions can use storage permissions to access and store user’s local data, including browser storage that may contain sensitive information (e.g., LocalStorage and IndexedDB).
Manipulating the clipboard: With clipboardRead and clipboardWrite permissions, malicious extensions can read and write the content of the user’s clipboard, allowing them to steal or modify information the user copies and pastes.
Impersonating legitimate websites: Malicious extensions can modify browser content or redirect users to fake websites, impersonating legitimate sites and tricking users into entering sensitive information.
Long-term background operation: Malicious extensions with background permissions can run in the background for extended periods, even without active user interaction. This allows them to monitor user activity for a long time and collect a significant amount of data.
Manipulating downloads: With downloads permissions, malicious extensions can download and execute malicious files, further compromising user system security.
5. Why were the victims of this malicious extension affected and experienced financial losses?
The malicious Aggr extension, in this case, obtained the permissions mentioned earlier, as shown in its manifest.json file’s permissions section:
– Cookies
– Tabs
– Storage
6. What actions can malicious Chrome extensions perform after stealing user cookies?
After stealing user cookies, malicious extensions can perform various actions, including:
– Accessing accounts: Malicious extensions can use stolen cookies to simulate a user’s login to a trading platform account, gaining access to their account information, including balance and transaction history.
– Conducting transactions: Stolen cookies may allow malicious extensions to perform unauthorized transactions, buying or selling cryptocurrencies without the user’s consent, or transferring assets to other accounts.
– Withdrawing funds: If cookies contain session information and authentication tokens, malicious extensions can bypass two-factor authentication (2FA) and directly initiate fund withdrawals, transferring the user’s cryptocurrencies to a wallet controlled by attackers.
– Accessing sensitive information: Malicious extensions can access and collect sensitive information stored in a user’s trading platform account, such as identification documents and addresses, which may be used for further identity theft or fraudulent activities.
– Modifying account settings: Malicious extensions can change a user’s account settings, such as their linked email address and phone number, gaining further control over the account and stealing more information.
– Impersonating the user for social engineering attacks: Using a user’s account, malicious extensions can conduct social engineering attacks, such as sending scam messages to the user’s contacts, enticing them to perform insecure actions or provide more sensitive information.
Mitigation Measures:
For individual users:
– Enhance personal security awareness: The first recommendation is to enhance personal security awareness and maintain a skeptical attitude.
– Install extensions from trusted sources: Install extensions from the Chrome Web Store or other trusted sources, read user reviews, and carefully review the requested permissions, granting extensions only necessary access.
– Use a secure browser environment: Avoid installing extensions from unknown sources, regularly review and remove unnecessary extensions, use different browsers to isolate plugin browsers from those used for trading and managing funds.
– Regularly check account activity: Periodically check account login activity and transaction records, taking immediate action upon detecting suspicious behavior.
– Remember to log out: After completing operations on a web platform, remember to log out. Many users neglect to click the log-out button after completing their tasks, posing a security risk.
– Use hardware wallets: For significant assets, use hardware wallets for storage to enhance security.
– Browser settings and security tools: Use secure browser settings and extensions (e.g., ad-blockers, privacy protection tools) to reduce the risk of malicious extensions.
– Use security software: Install and use security software to detect and prevent malicious extensions and other malware.
For platforms’ risk control measures:
– Enforce the use of two-factor authentication (2FA):
– Enable 2FA globally: Require all users to enable 2FA for login and important operations (e.g., trading, placing orders, fund withdrawals) to ensure that even if a user’s cookies are stolen, attackers cannot easily access their accounts.
– Multiple authentication methods: Support multiple 2FA methods, such as SMS, email, Google Authenticator, and hardware tokens.
– Session management and security:
– Device management: Provide users with the ability to view and manage logged-in devices, allowing them to log out suspicious devices at any time.
– Session timeout: Implement session timeout policies to automatically log out inactive sessions, reducing the risk of session hijacking.
– IP address and geolocation monitoring: Detect and notify users of login attempts from abnormal IP addresses or locations and block them if necessary.
– Strengthen account security settings:
– Security notifications: Instantly send users notifications about account logins, password changes, fund withdrawals, and other important operations, using email or SMS to alert users of any unusual activity.
– Account freeze feature: Provide an option for users to quickly freeze their accounts in emergencies, controlling the extent of damage in case of compromise.
– Enhance monitoring and risk control systems:
– Abnormal behavior detection: Use machine learning and big data analysis to monitor user behavior, identify abnormal trading patterns and account activities, and intervene with risk control measures promptly.
– Risk control alerts: Warn and restrict suspicious behaviors, such as frequent changes to account information or frequent failed login attempts.
– Provide security education and tools to users:
– Security education: Disseminate security knowledge to users through official social media accounts, emails, and in-platform notifications, raising awareness about extension-related risks and how to protect their accounts.
– Security tools: Provide official browser plugins or extensions to help users enhance account security, detect and alert them to potential security threats.
Conclusion:
From a technical standpoint, it is not always the best approach to implement strict risk control measures mentioned above. Balancing security and business needs is crucial as an excessive focus on security can negatively impact user experience. For example, requiring 2FA for every trade may inconvenience users, leading them to disable it. This convenience inadvertently benefits both users and hackers, as compromised cookies would allow attackers to take advantage. Therefore, the risk control measures taken by platforms should be tailored to their specific users and needs. It is essential to strike a balance between security and user experience while ensuring the protection of user accounts and assets.
