Author: Lisa & Yao
Editor: Liz
Recently, some users reported that the well-known Chrome proxy switching plug-in SwitchyOmega has the risk of stealing private keys.
After analysis, it was found that this security issue is not the first time it has occurred. As early as last year, there were related security warnings. However, some users may not have noticed the warnings and are still using the contaminated version of the plug-in, which puts them at risk of private key leakage, account hijacking, and other serious risks. This article will analyze the situation of the plug-in being tampered with and explore how to prevent plug-in tampering and deal with malicious plug-ins.
Event Review
The earliest disclosure of this incident originated from an attack investigation[1]. On December 24, 2024, a Cyberhaven employee was attacked by a phishing email, which resulted in malicious code being injected into the browser plug-in he released, attempting to steal the user's browser cookies and passwords and upload them to the attacker's server. Cyberhaven invited Booz Allen Hamilton to conduct an independent investigation. Booz Allen Hamilton pointed out in a threat intelligence report[2] that more than 30 plug-ins in the Google Plug-in Store have been attacked in the same way, including Proxy SwitchOmega (V3).
The phishing email claimed that the browser extension released by Cyberhaven violated Google's terms and threatened that the plug-in would be revoked if no immediate action was taken. Out of a sense of urgency, the employee clicked on the phishing link in the email and authorized an OAuth application called "Privacy Policy Extension". The core risk of OAuth is that once an attacker gains access to an OAuth application, they can remotely control the victim's account and modify application data without a password. The figure below shows the OAuth authorization phishing email interface forged by the attacker.
After gaining control of Cyberhaven's Chrome App Store account, the attacker uploaded a new version of the extension containing malicious code and used Chrome's automatic update mechanism to automatically update affected users to the malicious version (version number 24.10.4, hash value DDF8C9C72B1B1061221A597168F9BB2C2BA09D38D7B3405E1DACE37AF1587944) without their knowledge.
The malicious extension consists of two files, the worker.js file connects to the command and control (C&C) server, downloads the configuration and stores it in Chrome's local storage. It then registers a listener to listen to events from content.js. The malicious version of the Cyberhaven extension (24.10.4) was launched at 1:32 a.m. (UTC) on December 25 and was removed at 2:50 a.m. (UTC) on December 26, for a total of 31 hours. During this time, the Chrome browser running the extension automatically downloaded and installed the malicious code.
Booz Allen Hamilton's investigation report pointed out that the cumulative downloads of these affected plug-ins on the Google Store exceeded 500,000 times, and sensitive data from more than 2.6 million user devices was stolen, posing a huge security risk to users. These tampered extensions were available on the Google Chrome App Store for up to 18 months, and the victim users were almost unaware that their data had been leaked during this period.
(List of affected Chrome extensions and user statistics [3])
Since the update policy of the Chrome Store gradually stops supporting V2 plug-ins, the official original version of the SwitchyOmega plug-in [4] is V2 and is therefore not supported.
The tainted malicious version[5] is version V3, and its developer account is different from the original V2 version. Therefore, it is impossible to confirm whether this version is officially released, or whether the official account was hacked and the malicious version was uploaded, or whether the author of the V3 version itself has malicious behavior.
The SlowMist security team recommends that users check the ID of the installed plug-in to confirm whether it is the official version. If the affected plug-in is found to be installed, it should be updated to the latest secure version immediately or removed directly to reduce security risks.
How to prevent plugins from being tampered with?
Browser extensions have always been a weak link in network security. In order to prevent plug-ins from being tampered with or malicious plug-ins being downloaded, users need to take security measures in terms of installation, use, and management.
1. Only download plugins from official channels
Give priority to using the Chrome official store and do not trust third-party download links on the Internet.
Avoid using unverified "cracked" plug-ins; many modified plug-ins may have backdoors implanted in them.
2. Be wary of plugin permission requests
Be cautious when granting permissions, as some plugins may request unnecessary permissions, such as access to browsing history, clipboard, etc.
If you encounter a plug-in that asks you to read sensitive information, be vigilant.
3. Check installed plugins regularly
Type chrome://extensions/ in the Chrome address bar to view all installed extensions.
Pay attention to the last update time of the plug-in. If the plug-in has not been updated for a long time but a new version is suddenly released, be alert to the possibility of tampering.
Check the developer information of the plug-in regularly. If the developer of the plug-in changes or the permissions change, be vigilant.
4. Use MistTrack to monitor fund flows and prevent asset losses
If you suspect that your private key has been leaked, you can use MistTrack to monitor on-chain transactions and keep abreast of fund flows.
For project parties, as plug-in developers and maintainers, stricter security measures should be taken to prevent risks such as malicious tampering, supply chain attacks, and OAuth abuse:
1. OAuth access control
Limit the scope of authorization and monitor OAuth logs. If the plug-in needs to use OAuth for authentication, try to use the short-lived token + refresh token mechanism to avoid long-term storage of high-authority tokens.
2. Enhance Chrome Web Store account security
Chrome Web Store is the only official release channel for plugins. Once a developer account is compromised, the attacker can tamper with the plugin and push it to all user devices. Therefore, account security must be enhanced, such as enabling 2FA and using least privilege management.
3. Regular audits
The integrity of the plugin code is the core of the project's anti-tampering efforts, and regular security audits are recommended.
4. Plugin monitoring
The project party must not only ensure the security of the newly released version, but also need to monitor in real time whether the plug-in has been hijacked. If any problem is found, the malicious version must be removed immediately, a security announcement must be issued, and users must be notified to uninstall the infected version.
How to deal with plugins that have been implanted with malicious code?
If you find that a plug-in has been infected with malicious code, or suspect that the plug-in may pose a risk, it is recommended that users take the following measures:
1. Remove the plugin immediately
Go to the Chrome extension management page (chrome://extensions/), find the affected plug-in and remove it.
Completely clear plugin data to prevent residual malicious code from continuing to run.
2. Change sensitive information that may be leaked
Change all saved passwords in your browser, especially those related to cryptocurrency exchanges and bank accounts.
Create new wallets and securely transfer assets (if the plugin accesses crypto wallets).
Check whether the API Key has been leaked, revoke the old API Key immediately, and apply for a new one.
3. Scan the system to check for backdoors or malware
Run antivirus or anti-malware tools (such as Windows Defender, AVG, Malwarebytes).
Check the Hosts file (C:\Windows\System32\drivers\etc\hosts) to make sure it has not been modified to a malicious server address.
Check your browser's default search engine and homepage; some malicious plugins can change these settings.
4. Monitor your account for unusual activity
Check the login history of exchanges and bank accounts. If any abnormal IP login is found, change the password immediately and enable 2FA.
Check the transaction records of the crypto wallet to confirm whether there are any abnormal transfers.
Check whether your social media accounts have been compromised. If there are any unusual private messages or posts, change your password immediately.
5. Report to the authorities to prevent more users from being harmed
If you find that the plug-in has been tampered with, you can contact the original development team or report it to Chrome officials.
You can contact the SlowMist security team to issue risk warnings and remind more users to pay attention to safety.
Although browser plug-ins can improve the user experience, they can also become a breakthrough for hacker attacks, bringing the risk of data leakage and asset loss. Therefore, while enjoying the convenience, users also need to remain vigilant and develop good security habits, such as carefully installing and managing plug-ins, regularly checking permissions, and promptly updating or removing suspicious plug-ins. At the same time, developers and platform parties should also strengthen security protection measures to ensure the security and compliance of plug-ins. Only when users, developers and platforms work together to enhance security awareness and implement effective protection measures can we truly reduce risks and ensure the security of data and assets.
Related links
[1]https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension
[2]https://cdn.prod.website-files.com/64deefeac57fbbefc32df53d/678690faf3f050d53afc810a_FINAL_Cyberhaven_Threat%20Intelligence%20Briefing%20%5B2025-01-13%5D.pdf
[3]https://www.extensiontotal.com/cyberhaven-incident-live
[4]https://chromewebstore.google.com/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif
[5]https://chromewebstore.google.com/detail/proxy-switchyomega-v3/hihblcmlaaademjlakdpicchbjnnnkbo
