Author: Lisa & Yao
Editor: Liz
Recently, users have reported that the well-known Chrome proxy switching plugin SwitchyOmega has a risk of stealing private keys.
Analysis shows that this security issue is not the first occurrence; relevant security warnings have been present since last year. However, some users may have overlooked the warnings and are still using contaminated versions of the plugins, facing serious risks such as private key leakage and account hijacking. This article will analyze the situation of plugin tampering and discuss how to prevent plugin tampering and respond to malicious plugins.
Event Review
The earliest disclosure of this incident originated from an attack investigation [1]. On December 24, 2024, an employee of Cyberhaven fell victim to a phishing email attack, resulting in the browser plugin they published being injected with malicious code, attempting to steal users' browser cookies and passwords and upload them to the attacker's server. Cyberhaven invited Booz Allen Hamilton to conduct an independent investigation, and Booz Allen Hamilton pointed out in their threat intelligence report [2] that over 30 plugins in the Google plugin marketplace have suffered the same attack, including Proxy SwitchOmega (V3).
Phishing emails claim that the browser extension published by Cyberhaven violates Google's related terms and threatens that if action is not taken immediately, the plugin will be revoked. Out of urgency, the employee clicked on the phishing link in the email and authorized an OAuth application called 'Privacy Policy Extension'. The core risk of OAuth is that once an attacker gains access to the OAuth application, they can remotely control the victim's account and modify application data without a password. The following image shows the interface of the phishing email forged by the attacker.
After the attacker gained control of Cyberhaven's Chrome Web Store account, they uploaded a new version of the extension containing malicious code and utilized Chrome's automatic update mechanism to make the affected users unknowingly update to the malicious version (version 24.10.4, hash DDF8C9C72B1B1061221A597168F9BB2C2BA09D38D7B3405E1DACE37AF1587944).
The malicious plugin contains two files, one of which, worker.js, connects to the command and control (C&C) server, downloads configurations, and stores them in Chrome's local storage. Subsequently, it registers listeners to listen for events from content.js. The malicious version of the Cyberhaven extension (24.10.4) went live at 1:32 AM (UTC) on December 25 and was removed at 2:50 AM (UTC) on December 26, existing for a total of 31 hours. During this period, the Chrome browser running this extension would automatically download and install malicious code.
A report by Booz Allen Hamilton indicates that the cumulative download volume of these affected plugins in the Google Store exceeds 500,000 times, and sensitive data from over 2.6 million user devices has been stolen, posing a significant security risk to users. These tampered extensions were listed in the Google Chrome App Store for up to 18 months, during which affected users were almost unaware that their data had been leaked.
(List of affected Chrome plugins and user statistics [3])
Due to the update policy of the Chrome Store gradually not supporting V2 version plugins, and the official original version of SwitchyOmega [4] being V2, it is also within the unsupported range.
The contaminated malicious version [5] is V3, and its developer account is not the same as that of the original V2 version. Therefore, it cannot be confirmed whether this version was officially released, nor can it be determined if the official account was hacked and uploaded a malicious version, or if the author of V3 inherently had malicious behavior.
The SlowMist security team recommends that users check the ID of installed plugins to confirm whether they are the official version. If affected plugins are found, they should be updated to the latest secure version immediately or removed directly to reduce security risks.
How to prevent plugin tampering?
Browser extensions have always been a weak link in cybersecurity. To avoid plugin tampering or downloading malicious plugins, users need to ensure security protection from three aspects: installation, use, and management.
1. Only download plugins from official channels.
Prioritize using the official Chrome Web Store, and do not trust third-party download links found online.
Avoid using unverified 'cracked' plugins, as many modified plugins may have backdoors implanted.
2. Be wary of plugin permission requests.
Be cautious when granting permissions; some plugins may request unnecessary permissions, such as access to browsing history, clipboard, etc.
Be vigilant if a plugin requests to read sensitive information such as private keys and wallet addresses.
3. Regularly check installed plugins.
Enter chrome://extensions/ in the Chrome address bar to view all installed plugins.
Pay attention to the recent update time of the plugin. If the plugin has not been updated for a long time but suddenly releases a new version, be wary of possible tampering.
Regularly check the developer information of the plugin; if the plugin has changed developers or permissions have changed, be vigilant.
4. Use MistTrack to monitor the flow of funds and prevent asset loss.
If you suspect that your private key has been leaked, you can use MistTrack for on-chain transaction monitoring to keep track of fund flows.
For project parties, as developers and maintainers of plugins, stricter security measures should be taken to prevent risks such as malicious tampering, supply chain attacks, and OAuth abuse.
1. OAuth access control.
Limit the scope of authorization, monitor OAuth logs; if the plugin needs to use OAuth for authentication, try to use a short-lived token + refresh token mechanism to avoid long-term storage of high-privilege tokens.
2. Enhance the security of Chrome Web Store accounts.
The Chrome Web Store is the only official release channel for plugins. Once a developer account is compromised, attackers can tamper with the plugin and push it to all user devices. Therefore, account security must be strengthened, such as enabling 2FA and using least privilege management.
3. Regular audits.
The integrity of the plugin code is the core of the project's anti-tampering measures, and it is recommended to conduct regular security audits.
4. Plugin monitoring.
Project teams should not only ensure that new versions released are secure, but also continuously monitor whether the plugin has been hijacked. If problems are found, malicious versions should be removed immediately, a security announcement should be published, and users should be notified to uninstall the infected versions.
How to handle plugins that have been implanted with malicious code?
If it is found that the plugin is infected with malicious code, or if there is suspicion that the plugin may pose a risk, it is recommended that users take the following measures:
1. Immediately remove the plugin
Go to the Chrome extension management page (chrome://extensions/) and find the affected plugin to remove it.
Thoroughly clear plugin data to prevent residual malicious code from continuing to run.
2. Change potentially leaked sensitive information.
Change all saved passwords in the browser, especially passwords related to cryptocurrency exchanges and bank accounts.
Create a new wallet and securely transfer assets (if the plugin accessed the cryptocurrency wallet).
Check if the API Key has been leaked, and immediately revoke the old API Key and apply for a new key.
3. Scan the system for backdoors or malware.
Run antivirus or anti-malware tools (such as Windows Defender, AVG, Malwarebytes).
Check the Hosts file (C:\Windows\System32\drivers\etc\hosts) to ensure it has not been modified to malicious server addresses.
Check the browser's default search engine and homepage, as some malicious plugins may tamper with these settings.
4. Monitor accounts for abnormal activities.
Check the login history of exchanges and bank accounts. If abnormal IP logins are found, immediately change the password and enable 2FA.
Check the transaction history of cryptocurrency wallets to confirm if there are any abnormal transfers.
Check if social media accounts have been hijacked. If there are abnormal private messages or posts, change the password immediately.
5. Provide feedback to the official to prevent more users from being victimized.
If you find that the plugin has been tampered with, you can contact the original development team or report it to Chrome officials.
You can contact the SlowMist security team to issue a risk warning and remind more users to pay attention to security.
Browser plugins can enhance user experience, but they may also become entry points for hacker attacks, leading to data breaches and asset losses. Therefore, while users enjoy convenience, they also need to remain vigilant and cultivate good security habits, such as cautiously installing and managing plugins, regularly checking permissions, and promptly updating or removing suspicious plugins. Meanwhile, developers and platform providers should also strengthen security measures to ensure the safety and compliance of plugins. Only through the joint efforts of users, developers, and platforms to enhance security awareness and implement effective protective measures can risks be genuinely reduced, safeguarding data and assets.
Related links
[1]https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension
[2]https://cdn.prod.website-files.com/64deefeac57fbbefc32df53d/678690faf3f050d53afc810a_FINAL_Cyberhaven_Threat%20Intelligence%20Briefing%20%5B2025-01-13%5D.pdf
[3]https://www.extensiontotal.com/cyberhaven-incident-live
[4]https://chromewebstore.google.com/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif
[5]https://chromewebstore.google.com/detail/proxy-switchyomega-v3/hihblcmlaaademjlakdpicchbjnnnkbo
