The dangers of malicious browser extensions
Recently, I came across a project that promises to give you cashback on each transaction — including trading on centralized exchanges — and all you need to do is install a browser extension to get that 5% cashback.
If it’s too good to be true, it’s probably false.
At the time of discovery, their extension — Chrome extension ID
liachincjagnalnmahhaioaogkngbmhf (CCB Cash)— had 181 users on it. The extension has now been removed from the store.
So, I inspected the code — it has very malicious behaviour.
The malicious extension is only interested in the following coins; BTC, ETH, BCH, BNB, LTC, XRP, ETC.
What permissions does it require?
When you first install the browser extension it asks for write access to multiple domains including Github, Exmo, Coinbase, Binance, HitBTC, LocalBitcoins, and more.
It requests access to all open tabs and your cookies — these permissions are abused a lot to steal your assets from various exchanges and wallet services.
What does it do?
To sum it up in a sentence, it steals all your secrets depending on the domain you are on.
For example, on Binance it steals your login details, 2FA codes, CSRF tokens, and attempts to automatically withdraws coins.
Let’s look at the actual execution…
Step 1) Stealing your Logins
There is code in the extension that will trigger on a
click event on the login button to steal the email and password inputs, store them in
LocalStorage and send them to their server in the backend without disrupting the normal login routine from the exchange.
Step 2) Stealing 2FA codes
If you’re logging in, it will monitor for the 2FA input and wait for the form to be submitted. Once it is, it sends the inputted 2FA to their backend along with the email and password stored in…