Background

On June 3, 2024, Twitter user @CryptoNakamao shared their experience of losing $1 million due to downloading the malicious Chrome extension Aggr, sparking concerns among the crypto community about extension risks and their own asset security. On May 31, the SlowMist Security Team released an analysis titled “Wolf in Sheep’s Clothing | Analysis of False Chrome Extensions Stealing”, detailing the malicious actions of the Aggr extension. Given the lack of background knowledge among users about browser extensions, SlowMist’s Chief Information Security Officer, 23pds, used a Q&A format in the article to explain the basics and potential risks of extensions. They also provided recommendations to mitigate extension risks, aiming to help individual users and trading platforms enhance the security of their accounts and assets.

(https://x.com/im23pds/status/1797528115897626708)

Q&A

1.What are Chrome extensions?

A Chrome extension is a plugin designed for Google Chrome to extend the browser’s functionality and behavior. These extensions can customize the user’s browsing experience, add new features or content, and interact with websites. Chrome extensions are typically built using HTML, CSS, JavaScript, and other web technologies. The structure of a Chrome extension generally includes the following components:

1. manifest.json: The configuration file of the extension, defining basic information such as name, version, permissions, etc.
2. Background Scripts: Scripts that run in the background of the browser, handling events and long-term tasks.
3. Content Scripts: Scripts that run in the context of web pages, allowing direct interaction with web pages.
4. User Interface (UI): Includes elements like browser toolbar buttons, pop-up windows, options pages, etc.

2.What do Chrome extensions do?

1. Ad Blockers: Extensions that can intercept and block ads on web pages, thereby improving page load speed and user experience. Examples include AdBlock and uBlock Origin.
2. Privacy and Security: Some extensions enhance user privacy and security by preventing tracking, encrypting communications, managing passwords, etc. Examples include Privacy Badger and LastPass.
3. Productivity Tools: Extensions that help users increase productivity, such as task management, note-taking, time tracking, etc. Examples include Todoist and Evernote Web Clipper.
4. Developer Tools: Tools for web developers that provide debugging and development capabilities, like inspecting web page structures, debugging code, analyzing network requests, etc. Examples include React Developer Tools and Postman.
5. Social Media and Communication: Extensions that integrate social media and communication tools, allowing users to handle social media notifications, messages, etc. while browsing. Examples include Grammarly and Facebook Messenger.
6. Web Customization: Users can customize the appearance and behavior of web pages using extensions, such as changing themes, rearranging page elements, adding extra functionalities, etc. Examples include Stylish and Tampermonkey.
7. Automation Tasks: Extensions that help automate repetitive tasks like filling out forms, batch downloading files, etc. Examples include iMacros and DownThemAll.
8. Language Translation: Some extensions can translate web page content in real-time, helping users understand web pages in different languages, like Google Translate.
9. Cryptocurrency Assistance: Extensions that facilitate easier cryptocurrency trading experiences for users, such as MetaMask, etc.

The flexibility and diversity of Chrome extensions allow them to be applied to almost any browsing scenario, helping users accomplish tasks more efficiently.

3.What permissions does the Chrome extension have after it is installed?

After installation, Chrome extensions may request a series of permissions to execute specific functions. These permissions are declared in the extension’s manifest.json file and prompt users for confirmation during installation. Common permissions include:

1. <all_urls>: Allows the extension to access content from all websites. This broad permission enables the extension to read and modify data on all websites.
2. tabs: Allows the extension to access information about browser tabs, including accessing currently open tabs, creating and closing tabs, etc.
3. activeTab: Allows the extension temporary access to the currently active tab, typically used to perform specific actions when the user clicks the extension button.
4. storage: Allows the extension to use Chrome’s storage API to store and retrieve data. This can be used for saving extension settings, user data, etc.
5. cookies: Allows the extension to access and modify cookies in the browser.
6. webRequest and webRequestBlocking: Allows the extension to intercept and modify network requests. These permissions are often used in ad-blocking and privacy protection extensions.
7. bookmarks: Allows the extension to access and modify the browser’s bookmarks.
8. history: Allows the extension to access and modify the browser’s history.
9. notifications: Allows the extension to display desktop notifications.
10. contextMenus: Allows the extension to add custom menu items to the browser’s context menu (right-click menu).
11. geolocation: Allows the extension to access the user’s geographical location information.
12. clipboardRead and clipboardWrite: Allows the extension to read from and write to the clipboard.
13. downloads: Allows the extension to manage downloads, including starting, pausing, and canceling downloads.
14. management: Allows the extension to manage other extensions and applications in the browser.
15. background: Allows the extension to run long-running tasks in the background.
16. notifications: Allows the extension to display system notifications.
17. webNavigation: Allows the extension to monitor and modify the browser’s navigation behavior.

These permissions enable Chrome extensions to perform many powerful and diverse functions, but they also mean that extensions may access sensitive user data such as cookies, authentication information, and more.

4.Why can malicious Chrome extensions steal user permissions?

Malicious Chrome extensions can exploit requested permissions to steal users’ credentials and authentication information because these extensions have direct access to and can manipulate the user’s browser environment and data.

1. Wide-ranging access: Malicious extensions often request extensive permissions such as accessing all websites (<all_urls>), reading and modifying browser tabs (tabs), and accessing browser storage (storage). These permissions allow malicious extensions to extensively access users’ browsing activities and data.
2. Manipulating network requests: Malicious extensions can use webRequest and webRequestBlocking permissions to intercept and modify network requests, thereby stealing users’ authentication information and sensitive data. For example, they can intercept form data when users log into websites to obtain usernames and passwords.
3. Reading and writing page content: Through content scripts, malicious extensions can embed code into web pages to read and modify page content. This means they can steal any data entered by users on web pages, such as form information and search queries.
4. Accessing browser storage: Malicious extensions can use storage permissions to access and store users’ local data, including browser storage that may contain sensitive information (such as LocalStorage and IndexedDB).
5. Manipulating the clipboard: With clipboardRead and clipboardWrite permissions, malicious extensions can read and write users’ clipboard contents, thereby stealing or tampering with information copied and pasted by users.
6. Masquerading as legitimate websites: Malicious extensions can disguise themselves as legitimate websites by modifying browser content or redirecting users to spoofed pages, tricking users into entering sensitive information.
7. Running in the background for extended periods: Malicious extensions with background permissions can run continuously in the background, even when users are not actively using them. This allows them to monitor user activities for extended periods and collect large amounts of data.
8. Manipulating downloads: Using download permissions, malicious extensions can download and execute malicious files, further jeopardizing user system security.

5.Why did the victims of this malicious extension have their permissions stolen and their funds compromised?

Because this malicious Aggr extension happened to obtain the background information we just discussed, here is a snippet of the permissions section from its manifest.json file:

1. cookies
2. tabs
3. <all_urls>
4. storage

6.What can a malicious Chrome extension do after stealing users’ cookies?

1. Accessing accounts: Malicious extensions can use stolen cookies to simulate user login to cryptocurrency trading platforms, thereby accessing users’ account information including balances and transaction history.
2. Conducting transactions: Stolen cookies may allow malicious extensions to conduct transactions without user consent, buying or selling cryptocurrencies, or transferring assets to other accounts.
3. Withdrawing funds: If cookies contain session information and authentication tokens, malicious extensions may bypass two-factor authentication (2FA) and initiate fund withdrawals, transferring users’ cryptocurrencies to wallets controlled by attackers.
4. Accessing sensitive information: Malicious extensions can access and collect sensitive information in users’ trading platform accounts, such as authentication documents and addresses, potentially used for further identity theft or fraud activities.
5. Modifying account settings: Malicious extensions can change users’ account settings, such as bound email addresses and phone numbers, further controlling accounts and stealing more information.
6. Impersonating users for social engineering attacks: Using user accounts for social engineering attacks, such as sending fraudulent messages to users’ contacts, enticing them into unsafe operations or providing more sensitive information.

Responses

Seeing this, many users may wonder, “What should I do? Should I just disconnect from the internet and stop using it altogether? Should I use a separate computer for operations? Should I avoid logging into platforms via web pages?” There are many extreme suggestions online, but in reality, we can learn how to reasonably prevent such risks:

Personal user’s mitigation measures:

1. Enhance personal security awareness: The first preventive suggestion is to enhance personal security awareness and maintain a skeptical attitude at all times.
2. Install extensions only from trusted sources: Install extensions from the Chrome Web Store or other trusted sources, read user reviews and permissions requests, and avoid granting unnecessary access permissions to extensions.
3. Use a secure browsing environment: Avoid installing extensions from unknown sources, regularly review and remove unnecessary extensions, consider using different browsers for isolating plugin browsing and fund transaction browsing.
4. Regularly monitor account activity: Regularly check account login activities and transaction records, and take immediate action upon detecting suspicious behavior.
5. Remember to log out: Remember to log out after using web platforms. Many people tend to overlook clicking “log out” after completing operations on a platform for convenience, which poses security risks.
6. Use hardware wallets: For large assets, use hardware wallets for storage to enhance security.
7. Browser settings and security tools: Use secure browser settings and extensions (such as ad blockers and privacy protection tools) to reduce the risk of malicious extensions.
8. Use security software: Install and use security software to detect and prevent malicious extensions and other malware.

Final risk control recommendations for platforms: By implementing these measures, trading platforms can reduce the security risks posed by malicious Chrome extensions to users:

Enforce the use of Two-Factor Authentication (2FA):

• Enable 2FA globally: Require all users to enable Two-Factor Authentication (2FA) for login and important operations (such as trading, placing orders, and fund withdrawals), ensuring that even if a user’s cookies are stolen, attackers cannot easily access the account.

• Multiple authentication methods: Support multiple 2FA methods such as SMS, email, Google Authenticator, and hardware tokens.

Session management and security:

• Device management: Provide users with the ability to view and manage logged-in devices, allowing them to log out sessions from unrecognized devices at any time.

• Session timeout: Implement session timeout policies to automatically log out inactive sessions, reducing the risk of session hijacking.

• IP address and geolocation monitoring: Detect and alert users to login attempts from unusual IP addresses or geolocations, and block these logins if necessary.=

Enhance account security settings:

• Security notifications: Promptly notify users of important actions such as account logins, password changes, and fund withdrawals via email or SMS to alert users of suspicious activities.

• Account freeze feature: Provide an option for users to quickly freeze their accounts in emergencies to control damage.

Strengthen monitoring and risk control systems:

• Abnormal behavior detection: Use machine learning and big data analytics to monitor user behavior, identify abnormal trading patterns and account activities, and intervene in risk control promptly.

• Risk warnings: Alert and restrict suspicious activities such as frequent changes in account information or frequent failed login attempts.

Provide security education and tools for users:

• Security education: Disseminate security knowledge to users through official social media accounts, email, platform notifications, etc., raising awareness about the risks of browser extensions and how to protect their accounts.

• Security tools: Provide official browser plugins or extensions to help users enhance account security, and detect and alert users to potential security threats.

Conclusion

To be frank, from a technical standpoint, implementing the risk control measures mentioned earlier isn’t always the best approach. Balancing security and business needs is crucial; too much emphasis on security can degrade user experience. For example, requiring second-factor authentication during order placement might lead many users to disable it for quicker transactions. This convenience for users also benefits hackers, as stolen cookies could allow them to manipulate trades and compromise user assets. Therefore, different platforms and users may require varied approaches to risk management. Finding the balance between security and business goals varies by platform, and it’s crucial that platforms prioritize both user experience and safeguarding user accounts and assets.

Disclaimer：

1. This article is reprinted from [PANews]. All copyrights belong to the original author [Slow Mist Technology]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.