Google Removes 49 Chrome Extensions Caught Stealing Crypto-Wallet Keys (zdnet.com) 18
Google has removed 49 Chrome extensions from the Web Store that posed as legitimate cryptocurrency wallet apps but contained malicious code that stole crypto-wallet private keys, mnemonic phrases, and other raw secrets. From a report: The 49 extensions were discovered by Harry Denley, Director of Security at the MyCrypto platform, who shared his findings exclusively with ZDNet last week. Denley says the 49 extensions appear to have been put together by the same person/group, believed to be a Russian-based threat actor. "Whilst the extensions all function the same, the branding is different depending on the user they are targeting," Denley said. The MyCrypto security researcher says he has identified malicious extensions posing as known crypto-wallets apps such as Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.
And it took them how long? (Score:1)
Re:And it took them how long? (Score:5, Funny)
Well, Chrome *is* malware. It's just that Google doesn't like competition when it comes to stealing data.
Re: (Score:2)
Chrome has an exclusive contract with Brent Spiner?
Re: (Score:2)
That's Mr. Data to you.
Re: (Score:3)
Stay safe (Score:4, Interesting)
Re: (Score:3)
Really you need to use two browsers to stay safe, one without any plugins to stay safe for banking and important things. Use another browser for plugins which you might need... Firefox tends to have all the same plugins as chrome, personally I keep chrome plugin free and use it for important tasks - Firefox I use for web development and have some plugins.
If you do firefox -p username (use a link) it allows you to create and then start a second instance without plugins with the profile username. I only use extensions packaged by my distro and some google opt-out thing. Running unknown code just does not seem to be the right thing to do [tm].
Re: (Score:3)
Re: (Score:2)
Sandboxie was just open sourced and works very well. I use it religiously.
Hurt feelings for punishment? (Score:2)
I'm sure that getting their extension removed really hurt their feelings. Does that count as punishment?
Why is the extension security model so bad (Score:4, Interesting)
It seems more overwhelming and confusing than the Android model, where you are presented with a screen full of confusing jargon asking for a million different permissions, that people seem to ignore anyway if it means they get the latest video sharing app. And if random exploits can read arbitrary data from anywhere in the browser which is what seems like happened here(?), it sounds even less secure. There's not a lot of technical info in the source article [medium.com] that TFA seems to be based on.
Just had a quick look through the few Chrome extensions I have (all disabled); they mostly seem to require permissions like "Allow this extension to read and change all your data on websites you visit", which I guess is probably what these malicious extensions used to get the data they want to steal.
Google Docs Offline has "Communicate with cooperating websites"(?!). It seems I have to go read the developer documentation to figure out what the hell this means.
Re: (Score:3)
Because the whole concept is bad.
"Let's allow people to make programs that run in our program! What could possibly go wrong?" is bad.
"Let's use a third party's software to provide an interface to our systems" is bad.
The end result is: "Let's use third party software, that may or may not be secure and which is running programs from fourth parties that may or may not be able to capture data, act as an interface for our systems where customers are inputting personally identifying information, financial in
So shocking...NOT (Score:2)
Seriously, who didn't see this coming?
"Oh hey I'll just put this free app on my phone and let it do whatever it wants, what could possibly go wrong?"
Free Wallet... (Score:2)
Oh good! (Score:2)
So now we're back to Chrome/Google mining for user data.