Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security
#1
The dangers of malicious browser extensions

Be careful with what you install.

https://medium.com/mycrypto/the-dangers-...9c10f0128f
What is this thing that builds our dreams, yet slips away from us?

Reply
#2
Can't read it. Out of free reading there...
Cardano is the most promising 3 gen. crypto right now.


Reply
#3
Copied below some of the highlights from the article!


Recently, I came across a project that promises to give you cashback on each transaction — including trading on centralized exchanges — and all you need to do is install a browser extension to get that 5% cashback.
If it’s too good to be true, it’s probably false.
At the time of discovery, their extension — Chrome extension ID liachincjagnalnmahhaioaogkngbmhf (CCB Cash)— had 181 users on it. The extension has now been removed from the store.

So, I inspected the code — it has very malicious behaviour.
The malicious extension is only interested in the following coins; BTC, ETH, BCH, BNB, LTC, XRP, ETC.
What permissions does it require?
When you first install the browser extension it asks for write access to multiple domains including Github, Exmo, Coinbase, Binance, HitBTC, LocalBitcoins, and more.
It requests access to all open tabs and your cookies — these permissions are abused a lot to steal your assets from various exchanges and wallet services.
What does it do?
To sum it up in a sentence, it steals all your secrets depending on the domain you are on.
For example, on Binance it steals your login details, 2FA codes, CSRF tokens, and attempts to automatically withdraws coins.
Let’s look at the actual execution…
Step 1) Stealing your Logins
There is code in the extension that will trigger on a click event on the login button to steal the email and password inputs, store them in LocalStorage and send them to their server in the backend without disrupting the normal login routine from the exchange.

Step 2) Stealing 2FA codes
If you’re logging in, it will monitor for the 2FA input and wait for the form to be submitted. Once it is, it sends the inputted 2FA to their backend along with the email and password stored in LocalStorage from step 1.

Step 3) Stealing your CSRF token and withdrawing
If you go to the balances view (in Binance) the extension steals your CSRF token from your cookies and sends it to their backend server. It then makes a POST request to grab your coin balances and attempts to withdraw silently.
It steals your CSRF tokens so it can md5() them and make a POST /exchange/private/yserAssetTransferBtc request to get your balances. Once that’s done, it will sort them by highest value first and try to withdraw.
If it finds one of these coins with a balance of >0.01 (BTC value) and is able to withdraw, it will navigate you to the withdrawal view for the coin with the highest value and automatically fill in the withdrawal request and click withdraw automagically — it will also blur the Binance screen by injecting a div into the body and bringing it to the front and modifying the text of the 2FA code confirmation to try to make you believe you are logged out — this is done super fast so you don’t even notice that you’re being redirected away from the dashboard.
Reply
#4
Thanks Bob. Yes that is bad code.
Cardano is the most promising 3 gen. crypto right now.


Reply
#5
Some people are just too trusting.
Reply
#6
IOTA says bulk of $11 million stolen tokens found, hacker worked alone (“Investigations showed existence of fraud originating from the website iotaseed.io, targeting users of IOTA, Europol said.”)

https://www.reuters.com/article/us-crypt...reddit.com
What is this thing that builds our dreams, yet slips away from us?

Reply
#7
(2019-02-02, 03:13 PM)Hugues Wrote: IOTA says bulk of $11 million stolen tokens found, hacker worked alone (“Investigations showed existence of fraud originating from the website iotaseed.io, targeting users of IOTA, Europol said.”)

https://www.reuters.com/article/us-crypt...reddit.com

Urgh... there is too much online crime.
Cardano is the most promising 3 gen. crypto right now.


Reply
#8
There is too much and it is too easy to get away with it. Either we need to be centralised and easier to trace or decentralised and a lot more secure / trustworthy. It may need a big company, house hold name type, to release a crypto and wallet to win over people.
Reply
#9
OH NO.... No big companies to watch. It's enough with Google, Apple etc.
Cardano is the most promising 3 gen. crypto right now.


Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
Banners