Author: 23pds@SlowMist Security Team
Background
On June 3, 2024, Twitter user @CryptoNakamao shared their experience of having $1 million stolen due to downloading a malicious Chrome extension called Aggr. This incident raised concerns among the cryptocurrency community about the risks of extensions and the security of their own crypto assets. On May 31, SlowMist Security Team published an analysis of the deceptive Chrome extension theft in an article titled “The Wolf in Sheep’s Clothing: Analysis of a Fake Chrome Extension”. They provided a detailed analysis of the malicious Aggr extension’s malicious activities. Due to the lack of background knowledge on browser extensions among users, 23pds, the Chief Information Security Officer at SlowMist, explains the basics of extensions and the potential risks in this article through a Q&A format. They also provide recommendations for mitigating extension risks, with the hope of helping individual users and trading platforms enhance their ability to protect their accounts and assets.
FAQ
1. What is a Chrome extension?
A Chrome extension is a plugin designed for the Google Chrome browser that extends its functionality and behavior. They can customize a user’s browsing experience, add new features or content, or interact with websites. Chrome extensions are typically built using HTML, CSS, JavaScript, and other web technologies.
The structure of a Chrome extension usually includes the following components:
– manifest.json: The configuration file of the extension, which defines its basic information such as name, version, permissions, etc.
– Background Scripts: Scripts that run in the background of the browser, handling events and long-term tasks.
– Content Scripts: Scripts that run in the context of a web page, allowing direct interaction with the page.
– User Interface (UI): Elements such as browser toolbar buttons, pop-up windows, option pages, etc.
2. What are the functions of Chrome extensions?
Chrome extensions have various functions, including:
– Ad-blocking: Extensions can intercept and block ads on web pages, improving page loading speed and user experience. Examples include AdBlock and uBlock Origin.
– Privacy and security: Some extensions enhance user privacy and security, such as preventing tracking, encrypting communication, and managing passwords. Examples include Privacy Badger and LastPass.
– Productivity tools: Extensions can help users improve productivity, such as task management, note-taking, and time tracking. Examples include Todoist and Evernote Web Clipper.
– Developer tools: Provide debugging and development tools for web developers, such as viewing page structures, debugging code, analyzing network requests, etc. Examples include React Developer Tools and Postman.
– Social media and communication: Extensions can integrate social media and communication tools, allowing users to handle social media notifications and messages while browsing the web. Examples include Grammarly and Facebook Messenger.
– Web customization: Users can customize the appearance and behavior of web pages through extensions, such as changing themes, rearranging page elements, adding additional functionality, etc. Examples include Stylish and Tampermonkey.
– Automation tasks: Extensions can help users automate repetitive tasks, such as automatically filling out forms or batch downloading files. Examples include iMacros and DownThemAll.
– Language translation: Some extensions can translate web page content in real-time, helping users understand web pages in different languages, such as Google Translate.
– Cryptocurrency assistance: Extensions can assist users in cryptocurrency trading, such as MetaMask.
The flexibility and diversity of Chrome extensions allow them to be applied to almost any browsing scenario, helping users complete various tasks more efficiently.
3. What permissions do Chrome extensions have after installation?
After installation, Chrome extensions may request a series of permissions in order to perform specific functions. These permissions are declared in the extension’s manifest.json file and are presented to the user for confirmation during installation. Common permissions include:
– All websites: Allows the extension to access the content of all websites. This is a broad permission that allows the extension to read and modify data on all websites.
– Tabs: Allows the extension to access information about browser tabs, including getting the currently open tabs, creating and closing tabs, etc.
– ActiveTab: Allows the extension temporary access to the currently active tab, usually used to perform specific actions when the user clicks the extension button.
– Storage: Allows the extension to use Chrome’s storage API to store and retrieve data. This can be used to save extension settings, user data, etc.
– Cookies: Allows the extension to access and modify cookies in the browser.
– WebRequest and WebRequestBlocking: Allows the extension to intercept and modify network requests. These permissions are often used by ad-blocking and privacy protection extensions.
– Bookmarks: Allows the extension to access and modify bookmarks in the browser.
– History: Allows the extension to access and modify the browsing history in the browser.
– Notifications: Allows the extension to display desktop notifications.
– ContextMenus: Allows the extension to add custom menu items to the browser’s context menu (right-click menu).
– Geolocation: Allows the extension to access the user’s geographical location information.
– ClipboardRead and ClipboardWrite: Allows the extension to read and write clipboard content.
– Downloads: Allows the extension to manage downloads, including starting, pausing, and canceling downloads.
– Management: Allows the extension to manage other extensions and applications in the browser.
– Background: Allows the extension to run long-term tasks in the background.
– Notifications: Allows the extension to display system notifications.
– WebNavigation: Allows the extension to monitor and modify browser navigation behavior.
These permissions allow Chrome extensions to perform many powerful and diverse functions, but also means they may have access to sensitive user data, such as cookies and authentication information.
4. How can malicious Chrome extensions steal user permissions?
Malicious Chrome extensions can steal user permissions and authentication information by exploiting the requested permissions, as these extensions have direct access to and control over the user’s browser environment and data. The specific reasons and methods are as follows:
– Broad permission access: Malicious extensions often request a large number of permissions, such as accessing all websites, reading and modifying browser tabs, accessing browser storage, etc. These permissions allow malicious extensions to have wide access to a user’s browsing activities and data.
– Manipulating network requests: Malicious extensions can use the webRequest and webRequestBlocking permissions to intercept and modify network requests, thereby stealing user authentication information and sensitive data. For example, they can intercept form data when a user logs into a website and obtain their username and password.
– Reading and writing page content: Through content scripts, malicious extensions can inject code into web pages and read or modify the page content. This means they can steal any data entered by the user on the web page, such as form information, search queries, etc.
– Accessing browser storage: Malicious extensions can use the storage permission to access and store user’s local data, including browser storage that may contain sensitive information (such as LocalStorage and IndexedDB).
– Manipulating the clipboard: With the clipboardRead and clipboardWrite permissions, malicious extensions can read and write the user’s clipboard content, thereby stealing or tampering with the information copied and pasted by the user.
– Impersonating legitimate websites: Malicious extensions can modify the content of the browser or redirect the user to a different website to impersonate a legitimate website, tricking the user into entering sensitive information.
– Running in the background for a long time: Malicious extensions with the background permission can run continuously in the background, even if the user is not actively using them. This allows them to monitor user activity for a long time and collect a large amount of data.
– Manipulating downloads: With the downloads permission, malicious extensions can download and execute malicious files, further compromising the user’s system security.
5. Why were the victims of this malicious extension targeted and suffered financial losses?
The victims of this malicious Aggr extension were targeted and suffered financial losses because the extension managed to obtain the permissions mentioned above. Here is a snippet of the permissions content from the manifest.json file of this malicious plugin:
– Cookies
– Tabs
– Storage
6. After malicious Chrome extensions steal user cookies, what actions can they take?
After stealing user cookies, malicious extensions can perform the following actions:
– Accessing accounts: Malicious extensions can use the stolen cookies to simulate the user’s login to a trading platform account, thereby accessing the user’s account information, including balance, transaction history, etc.
– Conducting transactions: The stolen cookies may allow malicious extensions to conduct transactions without the user’s consent, such as buying or selling cryptocurrencies, or even transferring assets to other accounts.
– Withdrawing funds: If the cookies contain session information and authentication tokens, malicious extensions can bypass two-factor authentication (2FA) and initiate fund withdrawals, transferring the user’s cryptocurrencies to a wallet controlled by the attacker.
– Accessing sensitive information: Malicious extensions can access and collect sensitive information in the user’s trading platform account, such as identification documents, addresses, etc., which may be used for further identity theft or fraudulent activities.
– Modifying account settings: Malicious extensions can change the user’s account settings, such as the associated email address, phone number, etc., to gain further control over the account and steal more information.
– Impersonating the user for social engineering attacks: Malicious extensions can use the user’s account for social engineering attacks, such as sending scam messages to the user’s contacts, enticing them to perform unsafe operations or provide more sensitive information.
Countermeasures
After reading this, users may wonder what they should do. Should they disconnect from the internet altogether? Should they use a separate computer for operations? Should they avoid logging into platforms via web browsers? There have been many extreme suggestions online, but in reality, we can learn how to properly guard against such risks:
Countermeasures for individual users:
– Enhance personal security awareness: The first defense suggestion is to enhance personal security awareness and always maintain a skeptical attitude.
– Install extensions from trusted sources only: Install extensions from the Chrome Web Store or other trusted sources, and read user reviews and permission requests. Avoid granting unnecessary access permissions to extensions.
– Use a secure browsing environment: Avoid installing extensions from unknown sources, regularly review and remove unnecessary extensions, install different browsers to separate plugin browsers from fund browsing browsers.
– Regularly check account activities: Regularly check account login activities and transaction records, and take immediate action if suspicious behavior is discovered.
– Remember to log out: Remember to log out after using a web platform. Many people, for the sake of convenience, do not click the log out button after completing operations on a platform. This habit poses security risks.
– Use hardware wallets: For large asset holdings, use hardware wallets for storage to enhance security.
– Browser settings and security tools: Use secure browser settings and extensions (such as ad blockers, privacy protection tools) to reduce the risk of malicious extensions.
– Use security software: Install and use security software to detect and prevent malicious extensions and other malicious activities.
Finally, here are risk control recommendations for platforms. By implementing these measures, trading platforms can reduce the security risks posed by malicious Chrome extensions:
– Enforce Two-Factor Authentication (2FA):
– Enable 2FA globally: Require all users to enable two-factor authentication (2FA) when logging in and performing important operations (such as trading, placing orders, fund withdrawals), ensuring that even if a user’s cookies are stolen, attackers cannot easily access their account.
– Multiple authentication methods: Support multiple 2FA methods, such as SMS, email, Google Authenticator, and hardware tokens.
– Session management and security:
– Device management: Provide users with the ability to view and manage logged-in devices, allowing them to log out of suspicious devices at any time.
– Session timeout: Implement session timeout policies to automatically log out inactive sessions, reducing the risk of session hijacking.
– IP address and geolocation monitoring: Detect and alert users of login attempts from unusual IP addresses or geolocations, and block these logins if necessary.
– Strengthen account security settings:
– Security notifications: Immediately send users notifications about important account activities such as login attempts, password changes, fund withdrawals, etc., through email or SMS to alert them of any abnormal activities.
– Account freezing feature: Provide an option for users to quickly freeze their accounts in emergency situations to control the extent of damage.
– Strengthen monitoring and risk control systems:
– Anomaly behavior detection: Use machine learning and big data analysis to monitor user behavior, identify abnormal trading patterns and account activities, and intervene in risk control in a timely manner.
– Risk control warnings: Provide warnings and restrictions for suspicious behaviors such as frequent changes to account information and frequent failed login attempts.
– Provide security education and tools to users:
– Security education: Use official social media accounts, emails, and in-platform notifications to educate users about security knowledge, reminding them of the risks of browser extensions and how to protect their accounts.
– Security tools: Provide official browser plugins or extensions to help users enhance account security, detect and alert users of potential security threats.
Conclusion
To be honest, from a technical standpoint, implementing the risk control measures mentioned above may not always be the best approach. Security needs to be balanced with business requirements, as heavy security measures can negatively impact user experience. For example, requiring 2FA for every order placement may frustrate users and lead to them turning it off for the sake of convenience. As a result, if their cookies are stolen, attackers can easily perform wash trades, causing financial losses for the users. Therefore, different platforms and users require different risk control methods. As for where the balance point between security and business lies, it varies for different platforms. We hope that platforms can consider both user experience and the security of user accounts and assets.