Author: 23pds@SlowMist Security Team
Background
On June 3, 2024, Twitter user @CryptoNakamao shared their experience of having $1 million stolen due to downloading the malicious Chrome extension Aggr, causing widespread concern among the cryptocurrency community about the risks of extensions and the security of their own assets. On May 31, SlowMist Security Team published an analysis of the deceptive Chrome extension theft in an article titled “The Wolf in Sheep’s Clothing | Analysis of Deceptive Chrome Extension Theft,” providing a detailed analysis of the malicious Aggr extension’s malicious behavior. Given that many users lack background knowledge of browser extensions, in this article, SlowMist’s Chief Information Security Officer, 23pds, will explain the basics of extensions and potential risks through a Q&A format, providing suggestions for dealing with extension risks in order to help individual users and trading platforms enhance their account and asset security.
Q&A
1. What is a Chrome extension?
A Chrome extension is a plugin designed for the Google Chrome browser that extends the functionality and behavior of the browser. They can customize the user’s browsing experience, add new features or content, or interact with websites. Chrome extensions are typically built using HTML, CSS, JavaScript, and other web technologies.
The structure of a Chrome extension usually includes the following parts:
– manifest.json: The configuration file of the extension, which defines the basic information of the extension such as its name, version, permissions, etc.
– Background Scripts: Scripts that run in the background of the browser, handling events and long-term tasks.
– Content Scripts: Scripts that run in the context of the web page, allowing direct interaction with the web page.
– User Interface (UI): Elements such as browser toolbar buttons, pop-up windows, option pages, etc.
2. What are the functions of Chrome extensions?
Chrome extensions have various functions, including:
– Ad-blocking: Extensions can intercept and block ads on web pages, improving page loading speed and user experience. Examples include AdBlock and uBlock Origin.
– Privacy and security: Some extensions enhance user privacy and security, such as preventing tracking, encrypting communication, and managing passwords. Examples include Privacy Badger and LastPass.
– Productivity tools: Extensions can help users improve productivity, such as task management, note-taking, time tracking, etc. Examples include Todoist and Evernote Web Clipper.
– Developer tools: Extensions provide debugging and development tools for web developers, such as viewing web page structures, debugging code, analyzing network requests, etc. Examples include React Developer Tools and Postman.
– Social media and communication: Extensions can integrate social media and communication tools, allowing users to handle social media notifications, messages, etc., while browsing web pages. Examples include Grammarly and Facebook Messenger.
– Web customization: Users can customize the appearance and behavior of web pages through extensions, such as changing themes, rearranging page elements, adding additional features, etc. Examples include Stylish and Tampermonkey.
– Automation tasks: Extensions can help users automate repetitive tasks, such as automatically filling out forms, batch downloading files, etc. Examples include iMacros and DownThemAll.
– Language translation: Some extensions can translate web page content in real-time, helping users understand web pages in different languages, such as Google Translate.
– Cryptocurrency assistance: Extensions can help users conveniently manage their cryptocurrency transactions, such as MetaMask.
The flexibility and diversity of Chrome extensions allow them to be applied to almost any browsing scenario, helping users efficiently complete various tasks.
3. What permissions do Chrome extensions have after installation?
After installation, Chrome extensions may request a series of permissions to perform specific functions. These permissions are declared in the extension’s manifest.json file and are prompted to the user for confirmation during installation. Common permissions include:
– All websites: Allows the extension to access the content of all websites. This is a broad permission that allows the extension to read and modify data from all websites.
– Tabs: Allows the extension to access information about browser tabs, including getting the currently open tabs, creating and closing tabs, etc.
– Active Tab: Allows the extension temporary access to the currently active tab, often used to perform specific actions when the user clicks the extension button.
– Storage: Allows the extension to use Chrome’s storage API to store and retrieve data. This can be used to store extension settings, user data, etc.
– Cookies: Allows the extension to access and modify cookies in the browser.
– WebRequest and WebRequestBlocking: Allows the extension to intercept and modify network requests. These permissions are often used by ad-blocking and privacy protection extensions.
– Bookmarks: Allows the extension to access and modify bookmarks in the browser.
– History: Allows the extension to access and modify the browsing history.
– Notifications: Allows the extension to display desktop notifications.
– ContextMenus: Allows the extension to add custom menu items to the browser’s context menu (right-click menu).
– Geolocation: Allows the extension to access the user’s geolocation information.
– ClipboardRead and ClipboardWrite: Allows the extension to read and write clipboard content.
– Downloads: Allows the extension to manage downloads, including starting, pausing, and canceling downloads.
– Management: Allows the extension to manage other extensions and applications in the browser.
– Background: Allows the extension to run long-term tasks in the background.
– Notifications: Allows the extension to display system notifications.
– WebNavigation: Allows the extension to monitor and modify the browser’s navigation behavior.
These permissions enable Chrome extensions to perform powerful and diverse functions, but also mean that they can access sensitive user data such as cookies and authentication information.
4. Why can malicious Chrome extensions steal user permissions?
Malicious Chrome extensions can exploit the requested permissions to steal user permissions and authentication information because these extensions have direct access to and control over the user’s browser environment and data. The specific reasons and methods are as follows:
– Broad access permissions: Malicious extensions often request a large number of permissions, such as accessing all websites, reading and modifying browser tabs, accessing browser storage, etc. These permissions allow malicious extensions to have broad access to the user’s browsing activities and data.
– Manipulating network requests: Malicious extensions can use the webRequest and webRequestBlocking permissions to intercept and modify network requests, thereby stealing user authentication information and sensitive data. For example, they can intercept form data when a user logs into a website to obtain usernames and passwords.
– Reading and writing page content: Through content scripts, malicious extensions can embed code into web pages and read or modify page content. This means they can steal any data entered by the user on the web page, such as form information and search queries.
– Accessing browser storage: Malicious extensions can use the storage permission to access and store the user’s local data, including browser storage that may contain sensitive information (such as LocalStorage and IndexedDB).
– Manipulating the clipboard: With the clipboardRead and clipboardWrite permissions, malicious extensions can read and write the user’s clipboard content, thereby stealing or tampering with the information the user copies and pastes.
– Impersonating legitimate websites: Malicious extensions can modify the content of the browser or redirect the user’s access to web pages to impersonate legitimate websites, tricking users into entering sensitive information.
– Long-term background operation: Malicious extensions with the background permission can continue running in the background, even if the user does not actively use them. This allows them to monitor user activity for a long time and collect a large amount of data.
– Manipulating downloads: Using the downloads permission, malicious extensions can download and execute malicious files, further compromising the user’s system security.
5. Why were the victims of this malicious extension subject to permission theft and financial losses?
The victims of this malicious Aggr extension had their permissions and funds stolen because the extension gained the background information mentioned above. The following is a snippet of the permissions content in the malicious plugin’s manifest.json file:
– Cookies
– Tabs
– Storage
6. After stealing user cookies, what actions can a malicious Chrome extension perform?
A malicious extension that steals user cookies can perform the following actions:
– Account access: The malicious extension can use the stolen cookies to simulate the user’s login to a trading platform account, thereby accessing the user’s account information, including balance, transaction history, etc.
– Conduct transactions: With the stolen cookies, the malicious extension may be able to conduct transactions without the user’s consent, such as buying or selling cryptocurrencies or even transferring assets to other accounts.
– Fund extraction: If the cookies contain session information and authentication tokens, the malicious extension can bypass two-factor authentication (2FA) and directly initiate fund withdrawals, transferring the user’s cryptocurrencies to a wallet controlled by the attacker.
– Access sensitive information: The malicious extension can access and collect sensitive information in the user’s trading platform account, such as identification documents, addresses, etc., which could be used for further identity theft or fraud.
– Modify account settings: The malicious extension can modify the user’s account settings, such as the linked email address and phone number, further gaining control over the account and stealing more information.
– Impersonation for social engineering attacks: Utilizing the user’s account, the malicious extension can conduct social engineering attacks, such as sending scam messages to the user’s contacts, enticing them to perform insecure operations or provide more sensitive information.
Countermeasures
After reading all this, users may wonder, what should we do? Should we disconnect from the internet? Use a separate computer for operations? Avoid logging into platforms through web browsers? There are many extreme suggestions floating around online, but in reality, we can learn how to reasonably guard against such risks:
Countermeasures for individual users:
– Enhance personal security awareness: The first suggestion for prevention is to enhance personal security awareness and always maintain a skeptical attitude.
– Install extensions from trusted sources only: Install extensions from the Chrome Web Store or other trusted sources and read user reviews and permission requests, avoiding granting unnecessary access permissions to extensions.
– Use a secure browser environment: Avoid installing extensions from unknown sources and regularly review and remove unnecessary extensions. Install different browsers to separate the plugin browser from the browser used for trading and fund management.
– Regularly check account activity: Regularly check account login activity and transaction records and take immediate action if any suspicious behavior is detected.
– Remember to log out: Remember to log out after using a web platform. Many people, for convenience, do not click “logout” after completing their operations on a platform. This habit poses security risks.
– Use hardware wallets: For large assets, use hardware wallets for storage to enhance security.
– Browser settings and security tools: Use secure browser settings and extensions (such as ad-blockers and privacy protection tools) to reduce the risk of malicious extensions.
– Use security software: Install and use security software to detect and prevent malicious extensions and other malicious software.
Lastly, here are risk control suggestions for platforms. By implementing these measures, trading platforms can reduce the security risks brought by malicious Chrome extensions:
– Enforce two-factor authentication (2FA):
– Enable 2FA globally: Require all users to enable two-factor authentication (2FA) when logging in and performing important operations (such as trading, placing orders, fund withdrawals) to ensure that even if a user’s cookies are stolen, attackers cannot easily access their accounts.
– Multiple authentication methods: Support multiple 2FA methods, such as SMS, email, Google Authenticator, and hardware tokens.
– Session management and security:
– Device management: Provide users with the ability to view and manage logged-in devices, allowing them to log out of suspicious devices at any time.
– Session timeout: Implement session timeout policies to automatically log out long inactive sessions, reducing the risk of session hijacking.
– IP address and geolocation monitoring: Detect and alert users of login attempts from abnormal IP addresses or geolocations, and block these logins if necessary.
– Strengthen account security settings:
– Security notifications: Immediately send users notifications about important account activities such as login, password changes, fund withdrawals, etc., through email or SMS to alert them of any suspicious activities.
– Account freezing function: Provide users with an option to quickly freeze their accounts in emergency situations to control the extent of damage.
– Strengthen monitoring and risk control systems:
– Anomaly behavior detection: Use machine learning and big data analysis to monitor user behavior and identify abnormal trading patterns and account activities, intervening in risk control in a timely manner.
– Risk control alerts: Provide warnings and restrictions for suspicious behaviors such as frequent changes to account information and frequent failed login attempts.
– Provide security education and tools to users:
– Security education: Use official social media accounts, email, and in-platform notifications to educate users about security knowledge, reminding them of the risks of browser extensions and how to protect their accounts.
– Security tools: Provide official browser plugins or extensions to help users enhance account security, detect and alert them to potential security threats.
Conclusion
To be honest, from a technical perspective, implementing all the risk control measures mentioned above may not always be the best approach. Security and business needs must be balanced, as prioritizing security too heavily could negatively impact user experience. For example, requiring two-factor authentication for every order may be inconvenient for users, and some may choose to disable it for the sake of speed. As a result, they inadvertently make it more convenient for hackers. Once cookies are stolen and withdrawals are blocked, hackers can engage in fraudulent activities, causing financial losses for users. Therefore, different platforms and users may require different risk control measures. As for where the balance between security and business lies, different platforms have different considerations. We hope that platforms can protect user accounts and assets while considering user experience.