Recently, users in the encryption community suffered significant financial losses after downloading the malicious Chrome extension Aggr, which has attracted widespread attention. In order to help users better understand the risks of browser extensions and improve their own security protection capabilities, the SlowMist security team has provided a detailed analysis of the malicious extension’s malicious behavior and practical security recommendations.
Toggle
Community Warning Sparks Attention
Analysis by the SlowMist Security Team
1. What is a Chrome extension?
2. What are the functions of Chrome extensions?
3. What permissions do Chrome extensions have after installation?
4. Why can malicious Chrome extensions steal user permissions?
5. How do malicious extensions steal user permissions and funds?
6. What can malicious extensions do after stealing cookies?
Countermeasures
Countermeasures for individual users
Platform risk control recommendations
On June 3, 2024, Twitter user @CryptoNakamao shared their experience of losing $1 million due to downloading the malicious Chrome extension Aggr. This incident quickly sparked widespread discussions in the encryption community, with users expressing concerns about extension risks and the security of their encrypted assets.
As early as May 31, the SlowMist security team released a detailed analysis report on the Aggr extension, revealing its malicious behavior. This article, through a question-and-answer format, helps users understand the basic knowledge and potential risks of Chrome extensions and provides response recommendations.
Chrome extensions are plugins designed for the Google browser to enhance the browser’s functionality and behavior. They are typically built using web technologies such as HTML, CSS, and JavaScript, with key components including:
– manifest.json: the extension’s configuration file, defining basic information.
– Background script: handling background tasks.
– Content script: interacting with web pages.
– User interface: such as toolbar buttons, pop-up windows, etc.
Chrome extensions have various uses, including:
– Ad blocking: improving webpage loading speed and user experience, such as AdBlock.
– Privacy and security: enhancing user privacy and security, such as Privacy Badger.
– Productivity tools: improving work efficiency, such as Todoist.
– Developer tools: providing debugging and development tools, such as React Developer Tools.
– Social media and communication: facilitating social media notifications, such as Grammarly.
– Web customization: customizing webpage appearance and behavior, such as Stylish.
– Automation tasks: assisting in automating repetitive tasks, such as iMacros.
– Language translation: real-time translation of webpage content, such as Google Translate.
– Cryptocurrency assistance: facilitating cryptocurrency transactions, such as MetaMask.
Chrome extensions may request the following permissions:
– “tabs”: Access to browser tab information.
– “activeTab”: Temporary access to the currently active tab.
– “storage”: Use of Chrome’s storage API.
– “cookies”: Access and modification of browser cookies.
– “webRequest”: Intercepting and modifying network requests.
– “bookmarks”: Access and modification of browser bookmarks.
– “history”: Access and modification of browser history records.
– “notifications”: Display of desktop notifications.
– “contextMenus”: Adding custom menu items.
– “geolocation”: Access to user geolocation information.
– “clipboardRead” and “clipboardWrite”: Reading and writing clipboard content.
– “downloads”: Management of downloads.
– “management”: Management of other extensions and applications.
– “background”: Running tasks in the background.
– “webNavigation”: Monitoring and modifying browser navigation behavior.
While these permissions provide powerful functionality, they may also access sensitive user data.
Malicious extensions exploit the requested permissions to steal user information and credentials, including:
– Requesting broad permissions: such as accessing all websites, reading and modifying tabs, accessing storage, etc.
– Manipulating network requests: intercepting and modifying network requests to steal authentication information.
– Reading and writing page content: reading and modifying page data through embedded code.
– Accessing browser storage: accessing local data containing sensitive information.
– Manipulating the clipboard: reading and tampering with information copied and pasted by users.
– Masquerading as legitimate websites: inducing users to enter sensitive information.
– Long-term background operation: continuously monitoring user activity and collecting data.
– Managing downloads: downloading and executing malicious files, threatening system security.
The malicious extension Aggr utilizes extensive permissions (such as cookies, tabs, storage) to steal user permissions and funds through:
– Simulating user login to trading platform accounts.
– Unauthorized trading and fund transfers.
– Accessing and collecting sensitive information.
– Modifying account settings to control user accounts.
– Conducting social engineering attacks to further obtain sensitive information.
Malicious extensions can use stolen cookies to perform the following actions:
– Access account information.
– Conduct unauthorized transactions.
– Bypass two-factor authentication to withdraw funds.
– Access and collect sensitive information.
– Modify account settings.
– Impersonate users for social engineering attacks.
– Enhance personal security awareness: maintain a cautious attitude.
– Only install extensions from trusted sources: read user reviews and permission requests.
– Use a secure browser environment: avoid installing extensions from unknown sources.
– Regularly check account activity: take immediate action upon discovering suspicious behavior.
– Use hardware wallets: store large assets securely.
– Browser settings and security tools: reduce the risk of malicious extensions.
– Use security software: detect and prevent malicious software.
– Enforce two-factor authentication (2FA): ensure the security of user accounts.
– Session management and security: manage logged-in devices, implement session timeout policies.
– Strengthen account security settings: send security notifications, provide account freeze functionality.
– Enhance monitoring and risk control systems: monitor user behavior, identify abnormal transactions.
– Provide users with security education and tools: popularize security knowledge, provide official security tools.
Balancing security and business needs, platforms need to protect user accounts and assets while considering user experience. The SlowMist security team recommends that users ask themselves if it is safe before installing software or plugins to prevent stories from turning into accidents. For more security knowledge, please read the SlowMist-produced “Blockchain Dark Forest Self-Rescue Manual.”