SwitchyOmega was exposed to have stolen private keys. How to prevent plug-ins from being tampered with?

Author: Lisa & Yao

Recently, some users reported that the well-known Chrome proxy switching plug-in SwitchyOmega has the risk of stealing private keys.

After analysis, it was found that this security issue is not the first time it has occurred. As early as last year, there were related security warnings. However, some users may not have noticed the warnings and are still using the contaminated version of the plug-in, which puts them at risk of private key leakage, account hijacking, and other serious risks. This article will analyze the situation of the plug-in being tampered with, and explore how to prevent plug-in tampering and deal with malicious plug-ins.

Event Review

The earliest disclosure of this incident originated from an attack investigation[1]. On December 24, 2024, an employee of Cyberhaven was attacked by a phishing email, which resulted in malicious code being injected into the browser plug-in it released, attempting to steal the user's browser cookies and passwords and upload them to the attacker's server. Cyberhaven invited Booz Allen Hamilton to conduct an independent investigation. Booz Allen Hamilton pointed out in its threat intelligence report [2] that more than 30 plug-ins in the Google plug-in store have been attacked in the same way, including Proxy SwitchOmega (V3). The phishing email claimed that the browser extension released by Cyberhaven violated Google's terms and conditions and threatened that if no immediate action was taken, the plug-in would be revoked. Out of a sense of urgency, the employee clicked on the phishing link in the email and authorized an OAuth application called "Privacy Policy Extension". The core risk of OAuth is that once an attacker obtains access to an OAuth application, they can remotely control the victim's account and modify the application data without a password. The figure below shows the OAuth authorization phishing email interface forged by the attacker. After gaining control of Cyberhaven's Chrome App Store account, the attacker uploaded a new version of the extension containing malicious code and used Chrome's automatic update mechanism to allow affected users to automatically update to the malicious version (version number 24.10.4, hash value DDF8C9C72B1B1061221A597168F9BB2C2BA09D38D7B3405E1DACE37AF1587944) without their knowledge.

The malicious extension contains two files, of which the worker.js file connects to the command and control (C&C) server, downloads the configuration and stores it in Chrome's local storage. It then registers a listener to listen to events from content.js. The malicious version of the Cyberhaven extension (24.10.4) was launched at 1:32 a.m. (UTC) on December 25 and was removed at 2:50 a.m. (UTC) on December 26, with a total existence of 31 hours. During this period, the Chrome browser running the extension automatically downloaded and installed the malicious code.

The Booz Allen Hamilton investigation report pointed out that the cumulative downloads of these affected plug-ins in the Google Store exceeded 500,000 times, and sensitive data from more than 2.6 million user devices was stolen, including private keys, mnemonics, etc., posing a huge security risk to users. These tampered extensions were available in the Google Chrome App Store for up to 18 months, and the victim users were almost unaware that their data had been leaked during this period.

(List of affected Chrome plugins and user statistics[3])

Since the update strategy of the Chrome Store gradually stops supporting V2 plugins, the official original version of SwitchyOmega[4] plugin is V2, so it is also not supported.

The contaminated malicious version[5] is V3, and its developer account is different from the original V2 version account. Therefore, it is impossible to confirm whether the version is officially released, whether the official account was hacked and a malicious version was uploaded, or whether the author of the V3 version itself has malicious behavior.

The SlowMist Security Team recommends that users check the ID of the installed plug-in to confirm whether it is an official version. If the affected plug-in is found to be installed, it should be updated to the latest secure version immediately, or directly removed to reduce security risks.

How to prevent plug-ins from being tampered with?

Browser extensions have always been a weak link in network security. In order to prevent plug-ins from being tampered with or downloading malicious plug-ins, users need to do a good job of security protection from three aspects: installation, use, and management.

1. Download plugins only from official channels

• Use the Chrome official store first, and do not trust third-party download links on the Internet.

• Avoid using unverified "cracked" plugins, many modified plugins may have backdoors implanted.

2. Be wary of plugin permission requests

• Grant permissions with caution, some plugins may request unnecessary permissions, such as access to browsing history, clipboard, etc.

• If a plugin requires reading sensitive information such as private keys and wallet addresses, be sure to be vigilant.

3. Check installed plug-ins regularly

• Enter chrome://extensions/ in the Chrome address bar to view all installed plug-ins.

• Pay attention to the last update time of the plug-in. If the plug-in has not been updated for a long time, but a new version is suddenly released, be alert to possible tampering.

• Regularly check the developer information of the plug-in. If the developer of the plug-in is changed or the permissions are changed, be vigilant.

4. Use MistTrack to monitor the flow of funds and prevent asset loss

• If you suspect that the private key has been leaked, you can use MistTrack to monitor on-chain transactions and understand the flow of funds in a timely manner.

For project parties, as plug-in developers and maintainers, stricter security measures should be taken to prevent risks such as malicious tampering, supply chain attacks, and OAuth abuse:

1. OAuth access control

• Limit the scope of authorization, monitor OAuth logs, and if the plug-in needs to use OAuth for authentication, try to use short-lived tokens (Short-lived Token) + refresh tokens (Refresh Token) mechanism to avoid long-term storage of high-authority tokens.

2. Enhance Chrome Web Store account security

• Chrome Web Store is the only official release channel for plug-ins. Once a developer account is compromised, the attacker can tamper with the plug-in and push it to all user devices. Therefore, account security must be enhanced, such as enabling 2FA and using least privilege management.

3. Regular audits

• The integrity of the plug-in code is the core of the project's anti-tampering efforts. It is recommended to conduct regular security audits.

4. Plugin Monitoring

• The project party must not only ensure the safety of the new version released, but also monitor in real time whether the plug-in has been hijacked. If a problem is found, the malicious version should be removed as soon as possible, and a security announcement should be issued to notify users to uninstall the infected version.

How to deal with plug-ins that have been implanted with malicious code?

If you find that the plug-in has been infected with malicious code, or suspect that the plug-in may be risky, it is recommended that users take the following measures:

1. Remove the plug-in immediately

• Go to the Chrome extension management page (chrome://extensions/), find the affected plug-in and remove it.

• Clear the plug-in data completely to prevent the remaining malicious code from continuing to run.

2. Change sensitive information that may be leaked

• Replace all saved passwords in the browser, especially those involving cryptocurrency exchanges and bank accounts.

• Create a new wallet and transfer assets securely (if the plug-in accesses the encrypted wallet).

• Check whether the API Key has been leaked, and immediately revoke the old API Key and apply for a new key.

3. Scan the system to check for backdoors or malware

• Run anti-virus or anti-malware tools (such as Windows Defender, AVG, Malwarebytes).

• Check the Hosts file (C:\Windows\System32\drivers\etc\hosts) to make sure it has not been modified to a malicious server address.

• Check the default search engine and homepage of the browser. Some malicious plug-ins will tamper with these settings.

4. Monitor your account for unusual activity

• Check the login history of exchanges and bank accounts. If you find any unusual IP logins, you need to change your password immediately and enable 2FA.

• Check the transaction records of your crypto wallet to confirm if there are any unusual transfers.

• Check if your social media account has been stolen. If there are any unusual private messages or posts, you need to change your password immediately.

5. Feedback to the authorities to prevent more users from being harmed

• If you find that the plug-in has been tampered with, you can contact the original development team or report it to Chrome officials.

• You can contact the SlowMist security team to issue risk warnings to remind more users to pay attention to safety.

Although browser plug-ins can improve user experience, they may also become a breakthrough for hacker attacks, bringing risks of data leakage and asset loss. Therefore, while enjoying the convenience, users also need to remain vigilant and develop good security habits, such as carefully installing and managing plug-ins, regularly checking permissions, and updating or removing suspicious plug-ins in a timely manner. At the same time, developers and platform parties should also strengthen security protection measures to ensure the security and compliance of plug-ins. Only when users, developers and platforms work together to enhance security awareness and implement effective protection measures can we truly reduce risks and ensure the security of data and assets.