Article Rewrite:
Title: Understanding Chrome Extensions: Risks and Precautions
By: 23pds of SlowMist Security Team
Background:
On June 3, 2024, Twitter user @CryptoNakamao shared their experience of losing $1 million due to downloading a malicious Chrome extension called Aggr. This incident raised concerns among the cryptocurrency community about the risks of extensions and the security of their own assets. On May 31, SlowMist Security Team published an analysis of the deceptive Chrome extension theft, providing a detailed breakdown of the malicious Aggr extension’s tactics. Recognizing that many users lack background knowledge about browser extensions, SlowMist’s Chief Information Security Officer, 23pds, will address six questions to explain the basics and potential risks of extensions and provide recommendations to counter extension threats. The aim is to help individual users and trading platforms enhance their account and asset security.
Question and Answer:
1. What are Chrome Extensions?
Chrome Extensions are plugins designed for the Google Chrome browser. They extend the browser’s functionality and behavior. They can customize the browsing experience, add new features or content, and interact with websites. Chrome Extensions are typically built using HTML, CSS, JavaScript, and other web technologies.
The structure of a Chrome Extension typically includes the following components:
– manifest.json: The configuration file of the extension, defining basic information such as name, version, and permissions.
– Background Scripts: Scripts running in the background of the browser, handling events and long-term tasks.
– Content Scripts: Scripts running within the webpage context, allowing direct interaction with the webpage.
– User Interface (UI): Includes browser toolbar buttons, pop-up windows, options pages, etc.
2. What are the functions of Chrome Extensions?
– Ad-blocking: Extensions can intercept and block ads on webpages, improving webpage loading speed and user experience. Examples include AdBlock and uBlock Origin.
– Privacy and Security: Some extensions enhance user privacy and security, such as preventing tracking, encrypting communications, and managing passwords. Examples include Privacy Badger and LastPass.
– Productivity Tools: Extensions can help users improve productivity, such as task management, note-taking, and time tracking. Examples include Todoist and Evernote Web Clipper.
– Developer Tools: Provide debugging and development tools for web developers, such as viewing webpage structures, debugging code, and analyzing network requests. Examples include React Developer Tools and Postman.
– Social Media and Communication: Extensions can integrate social media and communication tools, allowing users to handle social media notifications and messages while browsing. Examples include Grammarly and Facebook Messenger.
– Web Customization: Users can customize the appearance and behavior of webpages through extensions, such as changing themes, rearranging page elements, and adding extra functionality. Examples include Stylish and Tampermonkey.
– Automation Tasks: Extensions can help users automate repetitive tasks, such as automatically filling out forms or batch downloading files. Examples include iMacros and DownThemAll.
– Language Translation: Some extensions can translate webpage content in real-time, helping users understand webpages in different languages, such as Google Translate.
– Cryptocurrency Assistance: Extensions can assist users in cryptocurrency trading, such as MetaMask.
The flexibility and diversity of Chrome Extensions enable them to be applied in almost any browsing scenario, helping users efficiently complete various tasks.
3. What permissions do Chrome Extensions have after installation?
After installation, Chrome Extensions may request a series of permissions to perform specific functions. These permissions are declared in the extension’s manifest.json file and prompt users for confirmation during installation. Common permissions include:
– “All Websites”: Allows the extension to access the content of all websites. This is a broad permission that allows the extension to read and modify data on all websites.
– “Tabs”: Allows the extension to access browser tab information, such as getting currently open tabs, creating and closing tabs, etc.
– “Active Tab”: Allows the extension temporary access to the currently active tab, usually used to perform specific actions when the user clicks the extension button.
– “Storage”: Allows the extension to use Chrome’s storage API to store and retrieve data. This can be used to save extension settings, user data, etc.
– “Cookies”: Allows the extension to access and modify cookies in the browser.
– “WebRequest” and “WebRequestBlocking”: Allows the extension to intercept and modify network requests. These permissions are often used by ad-blocking and privacy protection extensions.
– “Bookmarks”: Allows the extension to access and modify browser bookmarks.
– “History”: Allows the extension to access and modify browser history.
– “Notifications”: Allows the extension to display desktop notifications.
– “ContextMenus”: Allows the extension to add custom menu items to the browser’s context menu (right-click menu).
– “Geolocation”: Allows the extension to access the user’s geographical location information.
– “ClipboardRead” and “ClipboardWrite”: Allows the extension to read and write clipboard content.
– “Downloads”: Allows the extension to manage downloads, including starting, pausing, and canceling downloads.
– “Management”: Allows the extension to manage other extensions and applications in the browser.
– “Background”: Allows the extension to run long-term tasks in the background.
– “Notifications”: Allows the extension to display system notifications.
– “WebNavigation”: Allows the extension to monitor and modify browser navigation behavior.
These permissions enable Chrome Extensions to perform powerful and diverse functions. However, they also mean that extensions can access users’ sensitive data, such as cookies and authentication information.
4. How can malicious Chrome Extensions steal user permissions?
Malicious Chrome Extensions can exploit the requested permissions to steal users’ permissions and authentication information because these extensions have direct access to and control over users’ browser environment and data. The specific reasons and methods are as follows:
– Broad Access Permissions: Malicious extensions often request extensive permissions, such as accessing all websites, reading and modifying browser tabs, and accessing browser storage. These permissions allow malicious extensions to have broad access to users’ browsing activities and data.
– Manipulating Network Requests: Malicious extensions can use the “webRequest” and “webRequestBlocking” permissions to intercept and modify network requests, thereby stealing users’ authentication information and sensitive data. For example, they can intercept form data when users log in to a website and obtain usernames and passwords.
– Reading and Writing Page Content: Through content scripts, malicious extensions can inject code into webpages and read and modify page content. This means they can steal any data entered by users on webpages, such as form information and search queries.
– Accessing Browser Storage: Malicious extensions can use the “storage” permission to access and store users’ local data, including browser storage (such as LocalStorage and IndexedDB) that may contain sensitive information.
– Manipulating the Clipboard: With the “clipboardRead” and “clipboardWrite” permissions, malicious extensions can read and write users’ clipboard content, thereby stealing or tampering with the information users copy and paste.
– Impersonating Legitimate Websites: Malicious extensions can modify browser content or redirect users to fake websites, tricking users into entering sensitive information.
– Long-Term Background Operation: Malicious extensions with the “background” permission can run in the background for an extended period, even when users are not actively using them. This allows them to monitor users’ activities and collect a large amount of data.
– Manipulating Downloads: By using the “downloads” permission, malicious extensions can download and execute malicious files, further jeopardizing users’ system security.
5. Why were the victims of this malicious extension’s attack vulnerable to permission theft and fund loss?
In this case, the malicious Aggr extension obtained the following permissions in its manifest.json file:
– “Cookies”
– “Tabs”
– “Storage”
6. What actions can malicious Chrome Extensions take after stealing users’ cookies?
– Account Access: Malicious extensions can use stolen cookies to simulate user login into a trading platform account, thereby accessing users’ account information, including balances and transaction history.
– Performing Transactions: Stolen cookies may allow malicious extensions to perform transactions, buying or selling cryptocurrencies without the user’s consent, or even transferring assets to other accounts.
– Fund Withdrawal: If the cookies contain session information and authentication tokens, malicious extensions can bypass two-factor authentication (2FA) and initiate fund withdrawals, transferring users’ cryptocurrencies to wallets controlled by attackers.
– Accessing Sensitive Information: Malicious extensions can access and collect sensitive information in users’ trading platform accounts, such as identification documents and addresses, which can be used for further identity theft or fraudulent activities.
– Modifying Account Settings: Malicious extensions can change users’ account settings, such as bound email addresses and phone numbers, gaining further control over accounts and stealing more information.
– Social Engineering Attacks: Malicious extensions can use user accounts for social engineering attacks, such as sending scam messages to users’ contacts, inducing them to perform unsafe operations or provide more sensitive information.
Precautionary Measures:
Individual Users:
– Enhance Personal Security Awareness: The first precautionary measure is to enhance personal security awareness and maintain a skeptical attitude.
– Install Extensions from Trusted Sources: Install extensions from the Chrome Web Store or other trusted sources, and read user reviews and permission requests, avoiding granting unnecessary access permissions to extensions.
– Use a Secure Browsing Environment: Avoid installing extensions from unknown sources, regularly review and delete unnecessary extensions, use different browsers to isolate plugin browsers from trading fund browsers.
– Regularly Check Account Activity: Regularly check account login activity and transaction records, taking immediate action if suspicious behavior is detected.
– Remember to Log Out: Remember to log out after using a web-based trading platform. Many users, for the sake of convenience, do not click the log out button after completing operations on the platform, which poses security risks.
– Use Hardware Wallets: For significant assets, use hardware wallets for storage to enhance security.
– Browser Settings and Security Tools: Use secure browser settings and extensions (such as ad-blockers and privacy protection tools) to reduce the risk of malicious extensions.
– Use Security Software: Install and use security software to detect and prevent malicious extensions and other malware.
Trading Platforms:
– Mandatory Two-Factor Authentication (2FA):
– Enable 2FA Globally: Require all users to enable two-factor authentication (2FA) when logging in and performing important operations (such as trading, placing orders, fund withdrawals) to ensure that even if users’ cookies are stolen, attackers cannot easily access their accounts.
– Multiple Authentication Methods: Support multiple 2FA methods, such as SMS, email, Google Authenticator, and hardware tokens.
– Session Management and Security:
– Device Management: Provide users with the ability to view and manage logged-in devices, allowing them to log out of unfamiliar devices at any time.
– Session Timeout: Implement session timeout policies to automatically log out inactive sessions, reducing the risk of session hijacking.
– IP Address and Geolocation Monitoring: Detect and alert users of login attempts from abnormal IP addresses or locations and block them if necessary.
– Strengthen Account Security Settings:
– Security Notifications: Instantly send users notifications about important account activities, such as account logins, password changes, and fund withdrawals, to alert users of any suspicious activities.
– Account Freezing Function: Provide users with an option to quickly freeze their accounts in emergencies, controlling the extent of damage in case of compromise.
– Enhanced Monitoring and Risk Control Systems:
– Abnormal Behavior Detection: Use machine learning and big data analysis to monitor user behavior, identifying abnormal trading patterns and account activities for timely risk control intervention.
– Risk Warning: Warn and restrict suspicious behaviors, such as frequent changes to account information and frequent unsuccessful login attempts.
– Provide Security Education and Tools to Users:
– Security Education: Educate users about security knowledge through official social media accounts, emails, and in-platform notifications, highlighting the risks of browser extensions and how to protect their accounts.
– Security Tools: Provide official browser plugins or extensions to help users enhance account security, detecting and alerting users of potential security threats.
In conclusion, from a technical perspective, implementing the mentioned risk control measures may not always be the best approach. Security and business needs must be balanced, and excessive security measures may negatively impact user experience. For example, requiring secondary authentication for placing orders may lead users to disable it for the sake of convenience. Unfortunately, this convenience benefits not only the users but also potential hackers. Once cookies are stolen, users are unable to withdraw funds, allowing hackers to take advantage of the situation, resulting in asset loss for users. Therefore, different platforms and users may require different risk control approaches. As for the balance between security and business needs, each platform has its considerations. It is hoped that platforms prioritize user experience while ensuring the security of user accounts and assets.
