Background
On June 3, 2024, Twitter user @CryptoNakamao shared their experience of having $1 million stolen due to downloading a malicious Chrome extension called Aggr. This incident has raised concerns among the cryptocurrency community about the risks of extensions and the security of their own crypto assets. On May 31, the SlowMist Security Team released an analysis of the deceptive Aggr extension, shedding light on its malicious behavior. Given that many users lack background knowledge of browser extensions, SlowMist’s Chief Information Security Officer, 23pds, will answer six questions in this article to explain the basics of extensions, potential risks, and provide advice on how to mitigate extension-related risks. The goal is to help individual users and trading platforms enhance their account and asset security.
Question and Answer
1. What is a Chrome Extension?
A Chrome extension is a plugin designed for the Google Chrome browser that expands its functionality and behavior. These extensions can customize the user’s browsing experience, add new features or content, and interact with websites. Chrome extensions are typically built using HTML, CSS, JavaScript, and other web technologies.
The structure of a Chrome extension usually includes the following components:
– manifest.json: The extension’s configuration file, which defines basic information such as name, version, and permissions.
– Background Scripts: Scripts running in the background of the browser to handle events and long-term tasks.
– Content Scripts: Scripts running in the webpage context that can directly interact with the webpage.
– User Interface (UI): Such as browser toolbar buttons, pop-up windows, and options pages.
2. What are the functions of Chrome Extensions?
Chrome extensions serve various purposes, including:
– Ad-blocking: Extensions can intercept and block ads on webpages, improving page loading speed and user experience. Examples include AdBlock and uBlock Origin.
– Privacy and security: Some extensions enhance user privacy and security by preventing tracking, encrypting communications, and managing passwords. Examples include Privacy Badger and LastPass.
– Productivity tools: Extensions can help users improve productivity by managing tasks, taking notes, and tracking time. Examples include Todoist and Evernote Web Clipper.
– Developer tools: Extensions provide debugging and development tools for web developers, such as viewing webpage structure, debugging code, and analyzing network requests. Examples include React Developer Tools and Postman.
– Social media and communication: Extensions integrate social media and communication tools, allowing users to handle social media notifications and messages while browsing. Examples include Grammarly and Facebook Messenger.
– Web customization: Users can customize the appearance and behavior of webpages through extensions, such as changing themes, rearranging page elements, and adding extra features. Examples include Stylish and Tampermonkey.
– Automation tasks: Extensions can assist users in automating repetitive tasks, such as automatically filling out forms and batch downloading files. Examples include iMacros and DownThemAll.
– Language translation: Some extensions can translate webpage content in real-time, helping users understand webpages in different languages, such as Google Translate.
– Cryptocurrency assistance: Extensions can facilitate users in cryptocurrency trading, such as MetaMask.
The flexibility and diversity of Chrome extensions allow them to be applied to almost any browsing scenario, helping users efficiently accomplish various tasks.
3. What permissions do Chrome extensions have after installation?
After installation, Chrome extensions may request a series of permissions to perform specific functions. These permissions are declared in the extension’s manifest.json file and prompt users for confirmation during installation. Common permissions include:
– “all_urls” (Access to all websites): This is a broad permission that allows the extension to read and modify data on all websites.
– “tabs”: Allows the extension to access information about browser tabs, including getting currently open tabs, creating and closing tabs, etc.
– “activeTab”: Allows the extension temporary access to the currently active tab, typically used to perform specific actions when the user clicks on the extension button.
– “storage”: Allows the extension to use Chrome’s storage API to store and retrieve data. This can be used to save extension settings, user data, etc.
– “cookies”: Allows the extension to access and modify cookies in the browser.
– “webRequest” and “webRequestBlocking”: Allows the extension to intercept and modify network requests. These permissions are often used by ad-blocking and privacy protection extensions.
– “bookmarks”: Allows the extension to access and modify bookmarks in the browser.
– “history”: Allows the extension to access and modify browsing history in the browser.
– “notifications”: Allows the extension to display desktop notifications.
– “contextMenus”: Allows the extension to add custom menu items to the browser’s context menu (right-click menu).
– “geolocation”: Allows the extension to access the user’s geographical location information.
– “clipboardRead” and “clipboardWrite”: Allows the extension to read and write clipboard contents.
– “downloads”: Allows the extension to manage downloads, including starting, pausing, and canceling downloads.
– “management”: Allows the extension to manage other extensions and applications in the browser.
– “background”: Allows the extension to run long-term tasks in the background.
– “notifications”: Allows the extension to display system notifications.
– “webNavigation”: Allows the extension to monitor and modify browser navigation behavior.
These permissions enable Chrome extensions to perform various powerful and diverse functions but also mean that they can potentially access sensitive user data, such as cookies and authentication information.
4. How can malicious Chrome extensions steal user permissions?
Malicious Chrome extensions can exploit the requested permissions to steal user permissions and authentication information because these extensions can directly access and manipulate the user’s browser environment and data. The specific reasons and methods are as follows:
– Broad permission access: Malicious extensions often request a large number of permissions, such as access to all websites, read and modify browser tabs, access browser storage, etc. These permissions allow malicious extensions to broadly access the user’s browsing activities and data.
– Manipulating network requests: Malicious extensions can use the “webRequest” and “webRequestBlocking” permissions to intercept and modify network requests, thereby stealing user authentication information and sensitive data. For example, they can intercept form data when a user logs into a website to obtain usernames and passwords.
– Reading and writing page content: Through content scripts, malicious extensions can embed code into webpages, allowing them to read and modify page content. This means they can steal any data entered by users on the webpage, such as form information and search queries.
– Accessing browser storage: Malicious extensions can use the “storage” permission to access and store user’s local data, including browser storage (such as LocalStorage and IndexedDB) that may contain sensitive information.
– Manipulating the clipboard: Using the “clipboardRead” and “clipboardWrite” permissions, malicious extensions can read and write clipboard contents, thereby stealing or tampering with the information users copy and paste.
– Masquerading as legitimate websites: Malicious extensions can modify the browser’s content or redirect users to fake websites, deceiving users into entering sensitive information.
– Long-term background operation: Malicious extensions with the “background” permission can run continuously in the background, even if users don’t actively use them. This allows them to monitor user activity for a long time and collect a large amount of data.
– Manipulating downloads: With the “downloads” permission, malicious extensions can download and execute malicious files, further compromising user system security.
5. Why were the victims of this malicious extension’s attack susceptible to permission theft and financial losses?
In this particular case, the malicious Aggr extension obtained the background information mentioned above. Here is an excerpt from the permissions section of the extension’s manifest.json file:
– “cookies”
– “tabs”
– “storage”
6. After malicious Chrome extensions steal user cookies, what actions can they take?
After stealing user cookies, malicious extensions can perform various actions, including:
– Account access: Malicious extensions can use the stolen cookies to simulate user login to a trading platform account, gaining access to the user’s account information, including balance, transaction history, etc.
– Conducting transactions: Stolen cookies may allow malicious extensions to perform transactions, buy or sell cryptocurrencies without the user’s consent, or even transfer assets to other accounts.
– Funds withdrawal: If the cookies contain session information and authentication tokens, malicious extensions can bypass two-factor authentication (2FA) and directly initiate fund withdrawals, transferring the user’s cryptocurrencies to a wallet controlled by the attacker.
– Accessing sensitive information: Malicious extensions can access and collect sensitive information in the user’s trading platform account, such as identification documents, addresses, etc., which could be used for further identity theft or fraudulent activities.
– Modifying account settings: Malicious extensions can change the user’s account settings, such as the associated email address, phone number, etc., gaining further control over the account and stealing more information.
– Impersonating the user for social engineering attacks: Malicious extensions can use the user’s account for social engineering attacks, such as sending scam messages to the user’s contacts, enticing them to perform insecure operations or provide more sensitive information.
Mitigation Measures
Upon reading this, many users may wonder what actions they should take. Should they disconnect from the internet altogether? Should they use a separate computer for operations? Should they avoid logging into platforms through webpages? There have been many extreme suggestions online, but in fact, we can learn how to reasonably guard against such risks:
Measures for individual users:
– Enhance personal security awareness: The first recommendation for defense is to enhance personal security awareness and maintain a skeptical mindset.
– Install extensions only from trusted sources: Install extensions from the Chrome Web Store or other trusted sources, and read user reviews and permission requests, avoiding granting unnecessary access permissions to extensions.
– Use a secure browsing environment: Avoid installing extensions from unknown sources and regularly review and remove unnecessary extensions. Install different browsers to separate plugin browsers from browsers used for trading and fund management.
– Regularly check account activity: Regularly check account login activity and transaction records and take immediate action if suspicious behavior is detected.
– Remember to log out: After using a web-based trading platform, remember to log out. Many users, for the sake of convenience, do not click the log out button after completing their operations on the platform, which poses security risks.
– Use hardware wallets: For large assets, use hardware wallets for storage to enhance security.
– Browser settings and security tools: Use secure browser settings and extensions (such as ad-blockers and privacy protection tools) to reduce the risk of malicious extensions.
– Use security software: Install and use security software to detect and prevent malicious extensions and other malware.
Lastly, here are risk control recommendations for trading platforms. By implementing these measures, platforms can reduce the security risks posed by malicious Chrome extensions:
– Mandatory use of two-factor authentication (2FA):
– Enable 2FA globally: Require all users to enable two-factor authentication (2FA) when logging in and performing important operations such as trading, placing orders, and fund withdrawals. This ensures that even if the user’s cookies are stolen, attackers cannot easily access the account.
– Multiple authentication methods: Support multiple 2FA methods, such as SMS, email, Google Authenticator, and hardware tokens.
– Session management and security:
– Device management: Provide users with the ability to view and manage logged-in devices, allowing them to log out of suspicious devices at any time.
– Session timeout: Implement session timeout policies to automatically log out inactive sessions, reducing the risk of session hijacking.
– IP address and geolocation monitoring: Detect and alert users of login attempts from abnormal IP addresses or geolocation, and block these logins when necessary.
– Strengthen account security settings:
– Security notifications: Immediately send users notifications about important account activities such as login, password changes, fund withdrawals, etc., through email or SMS to alert them of any suspicious activities.
– Account freeze feature: Provide users with the option to quickly freeze their accounts in emergency situations to control the scope of damage.
– Enhanced monitoring and risk control systems:
– Abnormal behavior detection: Use machine learning and big data analysis to monitor user behavior and identify abnormal trading patterns and account activities for timely risk intervention.
– Risk control alerts: Provide warnings and restrictions for suspicious behaviors such as frequent changes to account information and frequent failed login attempts.
– Provide security education and tools to users:
– Security education: Use official social media accounts, emails, and in-platform notifications to educate users about security knowledge, alerting them to the risks of browser extensions and how to protect their accounts.
– Security tools: Provide official browser plugins or extensions to help users enhance their account security, detect and alert them to potential security threats.
Conclusion
To be honest, from a technical perspective, implementing the risk control measures mentioned above may not always be the best approach. Security needs to be balanced with business requirements, as excessive security measures can lead to a poor user experience. For example, requiring 2FA for every order placement may inconvenience users and lead to them disabling it. Unfortunately, once cookies are stolen, attackers can take advantage of this situation, preventing users from withdrawing funds and engaging in fraudulent activities. Therefore, risk control methods may vary for different platforms and users. As for where the balance point between security and business lies, different platforms have different considerations. It is hoped that platforms can protect user accounts and assets while also considering user experience.