Cryptocurrency's big browser extension problem

6 October, 2019

Those of us involved in the cryptocurrency space generally see crypto as a very safe and secure way to make payments. For all intents and purposes it is. But what would you say if someone told you that your cryptocurrency assets could be at risk due to the extensions you use in your web browser? Such risks do exist, though few people talk about them.

Cryptocurrencies like Bitcoin and Litecoin are considered secure for a number of reasons. First, transaction data is encrypted. Second, blockchain ledgers are designed to require consensus. Third, transactions are irrevocable once entered. Finally, miners have to provide some sort of proof of authority in order to verify transactions and build blocks for the ledger.

In essence, the cryptocurrency system itself is built to be secure. Yet like all things cyber security, the weakest link in crypto are the users who buy and sell coins. Users themselves create the most security risks in any computer network. Hackers and thieves know this, and they are more than happy to exploit poor user behavior - which brings us to the web extension problem.

Extensions as hacking tools

A browser extension is a small piece of software added to a web browser to increase its functionality. There are literally tens of thousands of them floating around the cyber sphere. If you are like most people, you use at least a couple of extensions in your Chrome- or Mozilla-based browser. This is all well and good except for the fact that almost none of us know where our extensions come from.

According to Casa CEO Jeremy Welch, hackers can use browser extensions to gather a wealth of data without users knowing it. The risk that extensions pose is not just limited to cryptocurrency, either. A well-written extension could steal all sorts of data, including every character produced by a computer keyboard.

Welch says that it is possible to write a browser extension that tracks all web activity. When a user completes a cryptocurrency transaction, the extension steals all the data related to that transaction. Then a couple of things could happen.

One possibility is that the extension intercepts the coins being transferred and diverts them to the hacker's wallet. Another possibility is that the extension uses the information from the transaction to steal assets from both sender and receiver.

Stealing information in the background

Browser extensions are risky because users do not understand what they are capable of. Welch demonstrated as such during a recent presentation he made in Riga. He showed his audience one particular browser extension that offers wallpapers and inspiring quotes. What users don't know is that it steals data from know your customer (KYC) forms.

The extension steals the information in the background. While the user is appreciating a beautiful new wallpaper and a new quote that pops up in his/her browser daily, hackers are gleaning useful information every time he/she fills out a web form. The user does not even know he/she is being victimized.

That same browser extension is capable of stealing graphic data, like a driver's license photo for example. This means that it is theoretically possible to take all the information from a KYC form and combine it with a photo found on the victim's hard drive and use it to create a fake ID.

Losing your cryptocurrency

Knowing that browser extensions are capable of stealing all sorts of information is already bad enough. But should those extensions be used to steal cryptocurrency data, there is an additional problem to consider. Unlike identity theft issues which can almost always be reversed if given enough time, it is impossible to reverse cryptocurrency transactions.

Let us say you use Bitcoin to make a deposit at your favorite online casino. Once the deposit has been verified and added to the next block of the Bitcoin ledger, the transaction is forever permanent. It cannot be removed; it cannot be modified. As such, there would be no way for the casino to refund your coin by reversing the deposit. Giving you your money back would require the casino to create an entirely new transaction.

Now, think about the implications of that for just a minute. The irrevocable nature cryptocurrency is such that you can never get coins back once they have been stolen from you. If a hacker steals your information using a browser extension then uses that information to rob you of your crypto assets, you are out of luck.

This is why experts like Welch recommend never exposing your Bitcoin addresses anywhere online. Every time a cryptocurrency address is left exposed, it is open to theft. Addresses should be guarded with the same zeal and aggression you would apply to guarding a stockpile of gold or platinum.

How to protect yourself

As dire as the situation may sound, there is no reason to panic. First of all, it is not as though there are dozens of browser extensions currently robbing the crypto community of hundreds of thousands of dollars in coin. Incidents thus far have been quite isolated. However, that might change in the future. So it's a good idea to be proactive.

There are many things users can do to protect themselves against this particular kind of cyber-attack. The simplest and easiest solution is to avoid using browser extensions. It is not hard. Browser extensions may add functionality to a web browser, but they are not necessary for the browser to work as intended.

Let us go back to Welch's example of the extension that generated wallpaper and daily quotes. It is a perfect illustration of a browser extension that serves no real functional purpose. It is completely unnecessary. The browser will function just fine without it. So don't use it. You do not need your browser to be pretty.

Here are two more suggestions:

  • Separate Browsers - If you believe there are some browser extensions you absolutely cannot live without, fine. Use a separate browser for all of your cryptocurrency transactions. Whatever browser you choose for this activity should be used with absolutely no browser extensions. This includes extensions that allegedly enhance your cryptocurrency experience.
  • Cryptocurrency Apps - You could avoid the issue altogether simply by not using browsers to handle your crypto transactions. Instead, you can use cryptocurrency apps created by trusted developers. Apps are available for Android, iOS, Linux, and other platforms.

Using an app is a lot like using a paper wallet and cash to pay a merchant. The app acts as the wallet. Think of it in terms of buying a cup of coffee.

Imagine yourself standing at the counter of your favorite coffee shop waiting in anticipation for the caramel mocha latte you just ordered. When it comes time to pay, you pull out your wallet and extract a five-dollar bill. The money goes directly from your wallet into the merchant's cash register. There is nothing in between you and the merchant to interrupt the transaction.

When you use a cryptocurrency app to send or receive coin, you are dealing directly with the other person. You are not using a website as a third-party intermediary. You are not relying on a payment processor to handle the transaction for you. You are opening your wallet, retrieving coin, and handing it directly to the recipient who puts it in his wallet.

A word about storage

Writing an article of this nature without discussing cryptocurrency storage doesn't make a lot of sense, so let's talk storage. How you store your cryptocurrency assets is as important as how you transfer them. Storage is another key area with very real security risks.

A fair number of people involved in cryptocurrency store their assets on exchanges. More often than not, they do so out of ignorance. They do not understand how risky this behavior is and, even if they do, they are not comfortable enough with digital wallets to store their assets any other way.

Here's the most important thing you need to know: cryptocurrency exchanges can be hacked. And in fact, many have been. We have seen several major incidents in the last few years in which millions of dollars' worth of coins have been stolen from hacked exchanges.

Remember that an exchange is a web property freely accessible by the general public. Anyone can visit an exchange site. That means anyone can hack it as well. The thing about exchanges is that they act as cryptocurrency custodians. Your coins are not stored in your wallet when they are sitting on an exchange. Instead, they are in the exchange's wallet. A person who knows what he/she is doing can break into the exchange and steal the wallet.

The point here is to store your cryptocurrency assets in cold storage. Remove them from the exchange, placing them in your own wallet stored on a removable drive. As an added measure of safety, write down your addresses on paper just in case your removable drive is ever damaged.

Now you know a bit more about cryptocurrency's browser extension problem. Although the problem is very real, widespread exploits have not been seen to date. You can avoid being a victim of any future exploits by not exposing your cryptocurrency addresses in a web browser loaded with extensions.