Background
On June 3, 2024, Twitter user @CryptoNakamao shared their experience of having $1 million stolen due to downloading a malicious Chrome extension called Aggr. This incident raised concerns among the cryptocurrency community about the risks associated with extensions and the security of their own assets. On May 31, the SlowMist Security Team published an analysis of the malicious Aggr extension in an article titled “A Wolf in Sheep’s Clothing: Analysis of a Fake Chrome Extension Theft.” Considering that many users lack background knowledge of browser extensions, SlowMist’s Chief Information Security Officer, 23pds, aims to provide an explanation of the basics of extensions and the potential risks through a Q&A format. Their goal is to offer advice on how to mitigate extension-related risks and help individual users and trading platforms enhance the security of their accounts and assets.
Q&A
1. What are Chrome extensions?
Chrome extensions are plugins designed for the Google Chrome browser that extend its functionality and behavior. They can customize users’ browsing experiences, add new features or content, and interact with websites. Chrome extensions are typically built using HTML, CSS, JavaScript, and other web technologies.
The structure of a Chrome extension generally includes the following components:
– manifest.json: This is the extension’s configuration file, which defines basic information such as its name, version, and permissions.
– Background Scripts: These scripts run in the background of the browser and handle events and long-term tasks.
– Content Scripts: These scripts run in the context of web pages and can directly interact with them.
– User Interface (UI): This includes browser toolbar buttons, pop-up windows, options pages, and more.
2. What are the functions of Chrome extensions?
Chrome extensions serve various purposes, including:
– Ad-blocking: Extensions can block and prevent ads on web pages, improving page load speed and user experience. Examples include AdBlock and uBlock Origin.
– Privacy and security: Some extensions enhance user privacy and security by preventing tracking, encrypting communication, and managing passwords. Examples include Privacy Badger and LastPass.
– Productivity tools: Extensions can help users increase productivity by managing tasks, taking notes, tracking time, and more. Examples include Todoist and Evernote Web Clipper.
– Developer tools: These provide debugging and development tools for web developers, such as inspecting web page structures, debugging code, and analyzing network requests. Examples include React Developer Tools and Postman.
– Social media and communication: Extensions can integrate social media and communication tools, allowing users to handle social media notifications and messages while browsing. Examples include Grammarly and Facebook Messenger.
– Web customization: Users can customize the appearance and behavior of web pages using extensions, such as changing themes, rearranging page elements, and adding extra functionality. Examples include Stylish and Tampermonkey.
– Automation tasks: Extensions can help users automate repetitive tasks, such as auto-filling forms and batch downloading files. Examples include iMacros and DownThemAll.
– Language translation: Some extensions can translate web page content in real-time, helping users understand web pages in different languages, such as Google Translate.
– Cryptocurrency assistance: Extensions can facilitate easier cryptocurrency transactions, such as MetaMask.
The flexibility and diversity of Chrome extensions allow them to be applied to almost any browsing scenario, helping users efficiently accomplish various tasks.
3. What permissions do Chrome extensions have after installation?
After installation, Chrome extensions may request a range of permissions to perform specific functions. These permissions are declared in the extension’s manifest.json file and are presented to the user for confirmation during installation. Common permissions include:
– “all_urls”: This permission allows the extension to access the content of all websites. It is a broad permission that enables the extension to read and modify data from all websites.
– “tabs”: This permission allows the extension to access information about browser tabs, including getting the currently open tabs, creating and closing tabs, and more.
– “activeTab”: This permission allows the extension temporary access to the currently active tab, usually used to perform specific actions when the user clicks the extension button.
– “storage”: This permission allows the extension to use Chrome’s storage API to store and retrieve data. It can be used to save extension settings, user data, and more.
– “cookies”: This permission allows the extension to access and modify cookies in the browser.
– “webRequest” and “webRequestBlocking”: These permissions allow the extension to intercept and modify network requests. They are often used by ad-blocking and privacy protection extensions.
– “bookmarks”: This permission allows the extension to access and modify the browser’s bookmarks.
– “history”: This permission allows the extension to access and modify the browser’s history.
– “notifications”: This permission allows the extension to display desktop notifications.
– “contextMenus”: This permission allows the extension to add custom menu items to the browser’s context menu (right-click menu).
– “geolocation”: This permission allows the extension to access the user’s geographical location information.
– “clipboardRead” and “clipboardWrite”: These permissions allow the extension to read and write clipboard contents.
– “downloads”: This permission allows the extension to manage downloads, including starting, pausing, and canceling downloads.
– “management”: This permission allows the extension to manage other extensions and applications in the browser.
– “background”: This permission allows the extension to run long-term tasks in the background.
– “notifications”: This permission allows the extension to display system notifications.
– “webNavigation”: This permission allows the extension to monitor and modify browser navigation behavior.
These permissions allow Chrome extensions to perform powerful and diverse functions, but they also mean that extensions can potentially access sensitive user data, such as cookies and authentication information.
4. How can malicious Chrome extensions steal user permissions?
Malicious Chrome extensions can exploit the requested permissions to steal user permissions and authentication information because these extensions have direct access to and control over the user’s browser environment and data. The specific reasons and methods are as follows:
Broad permissions access: Malicious extensions often request a large number of permissions, such as access to all websites, reading and modifying browser tabs, accessing browser storage, and more. These permissions allow malicious extensions to widely access a user’s browsing activities and data.
Manipulating network requests: Malicious extensions can use webRequest and webRequestBlocking permissions to intercept and modify network requests, thereby stealing user authentication information and sensitive data. For example, they can intercept form data when a user logs into a website, obtaining usernames and passwords.
Reading and writing page content: Through content scripts, malicious extensions can embed code into web pages to read and modify page content. This means they can steal any data entered by users on the web page, such as form information and search queries.
Accessing browser storage: Malicious extensions can use storage permissions to access and store a user’s local data, including browser storage (such as LocalStorage and IndexedDB) that may contain sensitive information.
Manipulating the clipboard: With clipboardRead and clipboardWrite permissions, malicious extensions can read and write the contents of a user’s clipboard, allowing them to steal or manipulate copied and pasted information.
Impersonating legitimate websites: Malicious extensions can modify browser content or redirect users to fake websites, deceiving them into entering sensitive information.
Running in the background for extended periods: Malicious extensions with background permissions can continue running in the background, even when users are not actively using them. This allows them to monitor user activity for a long time and collect a large amount of data.
Manipulating downloads: Using downloads permissions, malicious extensions can download and execute malicious files, further compromising a user’s system security.
5. Why were the victims of this malicious extension at risk of having their permissions and funds stolen?
In this case, the malicious Aggr extension happened to obtain the background information mentioned earlier. Here’s an excerpt from the permissions section of the extension’s manifest.json file:
– cookies
– tabs
– storage
6. What actions can malicious Chrome extensions take after stealing user cookies?
After stealing user cookies, malicious extensions can perform various actions, including:
– Accessing accounts: Malicious extensions can use stolen cookies to simulate user logins to trading platform accounts, gaining access to users’ account information, including balances and transaction histories.
– Conducting transactions: Stolen cookies may allow malicious extensions to perform transactions, such as buying or selling cryptocurrencies, without the user’s consent, or even transferring assets to other accounts.
– Withdrawing funds: If cookies contain session information and authentication tokens, malicious extensions can bypass two-factor authentication (2FA) and initiate fund withdrawals, transferring a user’s cryptocurrencies to a wallet controlled by the attacker.
– Accessing sensitive information: Malicious extensions can access and collect sensitive information in a user’s trading platform account, such as identification documents and addresses, which could be used for further identity theft or fraudulent activities.
– Modifying account settings: Malicious extensions can change a user’s account settings, such as the associated email address and phone number, further gaining control over the account and stealing more information.
– Impersonating users for social engineering attacks: By using a user’s account, malicious extensions can conduct social engineering attacks, such as sending scam messages to the user’s contacts, enticing them to perform insecure actions or provide more sensitive information.
Countermeasures
Upon reading this, users may wonder what they can do, such as disconnecting from the internet, using a separate computer for operations, or not logging into platforms through webpages. There have been many extreme opinions online, but in reality, we can learn how to reasonably guard against these risks:
Countermeasures for individual users:
– Enhance personal security awareness: The first preventive measure is to enhance personal security awareness and maintain a skeptical attitude.
– Install extensions from trusted sources only: Install extensions from the Chrome Web Store or other trusted sources, and read user reviews and permission requests, avoiding granting unnecessary access to extensions.
– Use a secure browser environment: Avoid installing extensions from unknown sources, regularly review and remove unnecessary extensions, install different browsers to separate plugin browsing and fund transaction browsing.
– Regularly check account activity: Regularly check account login activity and transaction records, taking immediate action if any suspicious behavior is found.
– Remember to log out: After using a web-based platform, remember to log out. Many people, for the sake of convenience, do not click the logout button after completing their tasks on the platform, which poses security risks.
– Use hardware wallets: For large assets, use hardware wallets to store cryptocurrencies and enhance security.
– Browser settings and security tools: Use secure browser settings and extensions (such as ad-blockers and privacy protection tools) to reduce the risk of malicious extensions.
– Use security software: Install and use security software to detect and prevent malicious extensions and other malicious software.
Lastly, here are risk control recommendations for platforms. By implementing these measures, trading platforms can reduce the security risks posed by malicious Chrome extensions:
– Enforce the use of two-factor authentication (2FA):
– Enable 2FA globally: Require all users to enable 2FA when logging in and performing important operations (such as trading, placing orders, and fund withdrawals) to ensure that even if a user’s cookies are stolen, attackers cannot easily access the account.
– Multiple authentication methods: Support multiple 2FA methods, such as SMS, email, Google Authenticator, and hardware tokens.
– Session management and security:
– Device management: Provide users with the ability to view and manage their logged-in devices, allowing them to log out of suspicious devices at any time.
– Session timeouts: Implement session timeout policies to automatically log out inactive sessions, reducing the risk of session hijacking.
– IP address and geolocation monitoring: Detect and alert users of login attempts from unusual IP addresses or locations, and block these logins if necessary.
– Strengthen account security settings:
– Security notifications: Send users immediate notifications about important account activities, such as login attempts, password changes, and fund withdrawals, to alert them of any unusual activities.
– Account freezing feature: Provide users with an option to quickly freeze their accounts in emergency situations to control the extent of damage in case of a compromise.
– Enhance monitoring and risk control systems:
– Abnormal behavior detection: Use machine learning and big data analysis to monitor user behavior, identify abnormal transaction patterns and account activities, and intervene in risk control in a timely manner.
– Risk control alerts: Alert and restrict suspicious behaviors, such as frequent changes to account information and frequent failed login attempts.
– Provide security education and tools to users:
– Security education: Educate users about security knowledge through official social media accounts, emails, platform notifications, and other channels, raising their awareness of the risks associated with browser extensions and how to protect their accounts.
– Security tools: Provide official browser plugins or extensions to help users enhance account security, detect and alert them to potential security threats.
Conclusion
To be honest, from a technical perspective, implementing the risk control measures mentioned above may not always be the best approach. Security and business needs must be balanced, as emphasizing security too much can negatively impact user experience. For example, requiring two-factor authentication for every order may lead users to turn it off for the sake of convenience. As a result, it benefits both the user and the hacker when cookies are stolen, as the hacker can easily engage in fraudulent activities. Therefore, different platforms and users may require different risk control methods. As for where the balance point lies between security and business, it varies for different platforms. It is hoped that platforms will consider user experience while also protecting user accounts and assets.