Chrome Extension Stealing Cryptocurrency Keys and Passwords

A malicious Chrome extension surreptitiously steals Ethereum keys and passwords:

According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.

Denley says that the extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk.

Second, the extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. This code steals login credentials and private keys, data that it’s sent to the same erc20wallet[.]tk third-party website.

Another example of how blockchain requires many single points of trust in order to be secure.

Tags: , , , , , ,

Posted on January 3, 2020 at 6:09 AM15 Comments

Comments

Peter A Popovich January 3, 2020 2:05 PM

Mr. Schneier,

I see a real societal need that you or one of the community of people reading your blog could meet. A challenge to the community may be in order.

I am an amateur cryptographer who has been interested in this field throughout my life.

There is need for compromise in the area of “gun control / background checks / gun registration”. This is a big topic currently in Virginia.

What is needed is a system that will enable authorities to have access to gun records but only with the most stringent safeguards – meaning no ability for the government to “round up” the guns. However, when there is a crime committed, it would give government the ability to get at records including private sales when reasonable people co-operate. My thinking is to define a system with multiple people needing to co-operate to open the records (such as the attn general of a state, the local police department, the private or commercial seller of the firearm, the president of a local gun rights organization (maybe the NRA). Any one of these individuals or groups could block access the the records.

I believe that such a system could allow reasonable people to have their fears minimized and be the compromise needed to allow many pressing issues to be solved.

The first step would be to define the requirements of such a system.

Peter Popovich, Broad Run, Virginia (peter.popovich@gmail.com)

Clive Robinson January 3, 2020 5:16 PM

@ Bruce,

surreptitiously steals

Whilst being a nice turn of phrase, it is also a symptom of the way the industry is.

If code was plain language and openly available, people could sit down and read through it in much the same way they could a book. They could draw little diagrams etc, and in short play at being “A pencil and paper computer”. Then in most cases the word “surreptitiously” would not be the word of choice for such behaviours.

When you have no choice but to use a block of code “sight unseen” there is little you can do unless you have reasonable experience in fault finding and black box testing thinking. All anomalies you see from expected behaviour you would treat like a fault and with skill and a little luck on selecting inputs to the black box determin what the anomalous behaviour does or what it is related to.

Such skills are in short supply at the best of times, thus you would have thought they would be much sort after. But mainly they are not, infact often they are not just expressly not wanted they are legislated against.

Thus an environment is in effect created where criminality is rewarded because others take themselves and their often mediocre ideas to seriously and think they have invented a better mousetrap for which the world will pay handsomely. In reality the ideas are usually neither original or unique and at best “borrowed” from others without any acknowledgment. Some would call this theft and there is legislation to this effect, but you have to break the law to prove you’ve been stolen from…

Thus with even Microsoft having been caught and punished committing such theft the question arises as to “Who can you trust?”

The answer would appear to be “no one”, unless you have sufficient leverage against them, and even that is by no means a sure fire thing.

I personaly do not do online commerce my only dalliance in that direction was with Amazon and they stole from me, so lesson learned at a small price.

The one thing I have learned over the years is no matter how long a chain of verifiable trust there is, it has two ends and beyond there neither verification or trust can be established.

Thus the question arises of “Can a system be designed where all that requires trust and it’s verification be achived within the chain?” and so far the answer appears to be “no” and that there is “no way yet known to change that in practical systems”.

just_passing_by January 3, 2020 5:30 PM

Peter A Popovich

This is unreal. You can design such a system,
operate it for a while but after the next public
shooting all the three-letter-agencies DEMAND
access. And believe me, they WILL find a way to
access that data.

SpaceLifeForm January 3, 2020 5:43 PM

@ Clive

Thus the question arises of “Can a system be designed where all that requires trust and it’s verification be achived within the chain?” and so far the answer appears to be “no” and that there is “no way yet known to change that in practical systems”.

I do not see it either.

As far as I can see, the best (maybe only) solution requires face to face meet, exchange public keys.

It may work via an intro system but then it gets way more complicated.

Winter January 3, 2020 7:10 PM

“Another example of how blockchain requires many single points of trust in order to be secure.”

I see this malware as a standard Trojan Horse application.

If you can be tricked into using “evil” code, you lost all security.

The lesson is that you should only use code from trusted sources on critical systems. Browser extensions from random developers are not safe.

RRIck January 4, 2020 9:21 AM

The apps’ name is literally SHITCOIN.

That’s about as upfront and honest as a criminal can get, without coding in a popup that says “HEY, I’m about to steal your money if you use this app!”.

If you install an app called Shitcoin, that you downloaded from some random site on the internet, and then use that app to manage your finances / private keys / etc, and you type all your secrets into it without questioning it at all, at what point do you deserve what comes next?

Do we as a society really have ZERO individual responsibility left?

PentaKon January 4, 2020 9:22 AM

@Popovich

I do not believe that such a system would offer a good solution to the big problems. From my experience many of the gun massacre incidents end up with the perpetrators’ suicide or immediate arrest. Rarely do the authorities need to search for them. There is only one true solution. Americans need to surrender their weapons, period. Nothing is gained from them. No one will “protect their family” with their guns and never will the public rise against their government that has tanks and missiles. It’s just an illusion to sell fake protection to the people.

Clive Robinson January 4, 2020 11:42 AM

@ RRIck,

If you install an app called Shitcoin, that you downloaded from some random site on the internet, and then use that app to manage your finances / private keys / etc, and you type all your secrets into it without questioning it at all, at what point do you deserve what comes next?

The problem is as was recently denostrated with ToTok, even if you download a well talked about and praised application that appeared in both Apple’s and Google’s walled gardens. Which is taken by many to be a sign of approval as some form of code review by supposed experts has taken place… You can still be well and truley invited to the “carless elevator ride”. Which brings us back to your question of,

at what point do you deserve what comes next?

I would say based on the evidence available from “built in in the supply chain”, “loaded from walled gardens”, and even “drive by” attacks the answer is,

    When turning on the power switch.

Or shortly there after.

The point I made up at the top of this thread of,

    Thus with even Microsoft having been caught and punished committing such theft the question arises as to “Who can you trust?” The answer would appear to be “no one”, unless you have sufficient leverage against them, and even that is by no means a sure fire thing.

Thus “blaim the victim” reasoning is not just avoiding the real issue, but is in effect creating a strawman argument.

The fault lies squarely with two sets of people,

1, Those who develop the bad code.
2, Those who publish the bad code.

Thus the real hard question is,

    How do you stop or spot any bad code before it does harm?

As I also noted above about verified trust chains,

    Thus the question arises of “Can a system be designed where all that requires trust and it’s verification be achived within the chain?” and so far the answer appears to be “no” and that there is “no way yet known to change that in practical systems”.

If you can think of a solution a lot of people would be rather more than interested.

tfb January 4, 2020 3:26 PM

So, wait. You install an extension whose name is ‘shitcoin wallet’; it asks you if it can insert JS into 77 sites. And, obviously, you immediately uninstall it and restore Chrome’s configuration from a backup. What do you mean ‘no, you don’t’?

Sheilagh Wong January 4, 2020 6:33 PM

You can know all the fancy math there is, you can get your software from reputable sources, but if you’re computer’s operating system isn’t secure your data isn’t secure.

1&1~=Umm January 4, 2020 6:41 PM

@tfb,

“You install an extension whose name is ‘shitcoin wallet'”

Would you like it more if it were to be called ‘unterschlagung portemonnaie’?

Clive Robinson January 4, 2020 7:15 PM

@ Sheilagh Wong,

… but if you’re computer’s operating system isn’t secure your data isn’t secure.

It’s funny how people don’t get what an “end run attack” is, or why your security end point needs to be beyond the communications end point, preferably “off device”

Somebody mentioned Moxie Marlinespike would be at CCC [1] giving a talk, I wonder if anyone will ask him if he understands it yet 😉

[1] https://fahrplan.events.ccc.de/congress/2019/Fahrplan/speakers/9742.html

Sonia Bilton January 15, 2020 5:26 AM

You can know all the fancy math there is, you can get your software from reputable sources, but if you’re computer’s operating system isn’t secure your data isn’t secure.

jacksonmeade July 13, 2020 9:23 AM

Oh, not again! As a PrimeXBT user, I have to say that this stuff makes me think twice before using any app. How many insecure Chrome extensions are existing right now?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.