Author: Lisa & Yao

Recently, some users have reported that SwitchyOmega, a well-known Chrome agent switch plug-in, has the risk of stealing private keys.

After analysis, it was found that this security problem was not the first time it had occurred, and there were related security reminders as early as last year. However, some users may not notice the warning and are still using the tainted version of the plug-in, thus facing serious risks such as private key leakage and account hijacking. This article will analyze the situation where the plug-in was tampered with this time, and explore how to prevent plug-in tampering and deal with malicious plug-ins.

Event Review

The earliest disclosure of this incident originated from an attack investigation [1]. On December 24, 2024, a Cyberhaven employee was subjected to a phishing email attack, causing the browser plug-in he published was injected with malicious code, trying to steal cookies and passwords from the user's browser and upload them to the attacker's server. Cyberhaven invited Booz Allen Hamilton to conduct an independent investigation. Booz Allen Hamilton pointed out in the Threat Intelligence Report [2] that more than 30 plug-ins in the Google Plugin Mall have suffered the same attack, including Proxy SwitchOmega (V3).

The phishing email claims that the browser extension published by Cyberhaven violates Google's terms and threatens that the plug-in will be revoked if no immediate action is taken. Out of urgency, the employee clicked on the phishing link in the email and authorized an OAuth app called "Privacy Policy Extension". The core risk of OAuth is that once an attacker obtains access to the OAuth application, he can remotely control the victim's account and modify the application data without a password. The following image shows the OAuth authorized phishing email interface forged by the attacker.

After gaining control of Cyberhaven's Chrome app store account, the attacker uploaded a new version of the extension containing malicious code and used Chrome's automatic update mechanism to allow affected users to remain unaware of it.The following will automatically update to the malicious version (version number 24.10.4, hash value DDF8C9C72B1B1061221A597168F9BB2C2BA09D38D7B3405E1DACE37AF1587944).

The malicious plugin contains two files, where the worker.js file connects to the Command & Control (C&C) server, downloads the configuration and stores it in Chrome's local storage. It then registers the listener to events from content.js. The malicious version of the Cyberhaven extension (24.10.4) went live at 1:32 a.m. (UTC) on December 25 and was removed at 2:50 a.m. (UTC) on December 26 for a total of 31 hours. During this time, the Chrome browser running the extension will automatically download and install malicious code.

Booz Allen Hamilton's investigation report pointed out that these attack-affected plug-ins have accumulated more than 500,000 downloads on Google Store, and sensitive data has been stolen from more than 2.6 million user devices, including private keys, mnemonics, etc., poses a huge security risk to users. These tampered extensions have been available for up to 18 months on the Google Chrome app store, and victims are almost unable to detect that their data has been leaked during this period.

(Affected Chrome plug-in list and user statistics[3])

Since the Chrome Mall update strategy gradually does not support V2 version plug-in, while the official original version of SwitchyOmega [4] plug-in is V2 version, it is also within the unsupported range.

The contaminated malicious version [5] is the V3 version, and its developer account is not the same as the original V2 version. Therefore, it is impossible to confirm whether the version was officially released, nor can it be determined whether the official account was uploaded after being hacked, or whether it was a malicious version or V3.The author of the version itself has malicious behavior.

The Slow Fog Security Team recommends that users check the ID of the installed plugin to confirm whether it is the official version. If you find that the affected plug-in is installed, you should update to the latest security version immediately or remove it directly to reduce security risks.

How to prevent plugins from being tampered with?

Browser extensions have always been a weak link in network security. In order to avoid plug-ins being tampered with or downloaded to malicious plug-ins, users need to protect security from three aspects: installation, use and management.

1. Only download plug-ins from official channels

Prefer to the use of Chrome official store, and do not trust third-party download links on the Internet.

Avoid using unverified "cracked version" plugins, many modified versions may have been implanted in the backdoor.

2. Beware of permission requests for plug-ins

Grant permissions with caution. Some plug-ins may request unnecessary permissions, such as accessing browsing history, clipboard, etc.

When you encounter plug-ins that require you to read sensitive information such as private keys, wallet addresses, etc., be vigilant.

3. Regularly check installed plugins

Enter chrome://extensions/ in the Chrome address bar to view all installed plugins.

Follow the latest update time of the plug-in. If the plug-in has not been updated for a long time and suddenly releases a new version, beware of the possibility of being tampered with.

Regularly check the developer information of the plug-in. If the plug-in is replaced by the developer or the permissions change, be vigilant.

4. Use MistTrack to monitor the flow of funds to prevent asset losses

For the project party, as the developer and maintainer of the plug-in, stricter security measures should be taken to prevent malicious tampering, supply chain attacks, OAuth abuse and other risks:

1. OAuth access control

Restrict the scope of authorization and monitor the OAuth log. If the plug-in needs to use OAuth for authentication, try to use the Short-lived Token + Refresh Token mechanism to avoid long-term storage of high-permission tokens.

2. Enhance Chrome Web Store account security

Chrome Web Store is the only official release channel for plug-ins. Once the developer's account is compromised, the attacker can tamper with the plug-in and push it to all user devices. Therefore, account security must be enhanced, such as enabling 2FA and using minimum permission management.

3. Regular audit

The integrity of the plug-in code is the core of the project's anti-tampering. It is recommended to conduct regular security audits.

4. Plugin monitoring

Project parties not only need to ensure the security of the released new version, but also need to monitor in real time whether the plug-in has been hijacked. If problems are found, remove the malicious version as soon as possible, issue a security announcement, and notify users to uninstall the infected version.

How to deal with plugins that have been implanted with malicious code?

If you find that the plugin has been infected by malicious code, or you suspect that the plugin may be at risk, the user is advised to take the following measures:

1. Remove the plugin immediately

Enter the Chrome extension management page (chrome://extensions/), find the affected plugin and remove it.

Clear plug-in data thoroughly to prevent residual malicious code from continuing to run.

2. Change sensitive information that may be leaked

Replace all saved passwords in your browser, especially those involving cryptocurrency exchanges and bank accounts.

Create a new wallet and transfer assets securely (if the plugin accesses the crypto wallet).

Check whether the API Key is leaked, and immediately revoke the old API Key and apply for a new key.

3. Scan the system to check for backdoor or malware

to run antivirus software or anti-malware tools (such as Windows Defender, AVG, Malwarebytes).

Check the Hosts file (C:\Windows\System32\drivers\etc\hosts) to make sure it has not been modified to the malicious server address.

View the browser's default search engine and homepage, and some malicious plugins will tamper with these settings.

4. Monitor whether there is abnormal activity in the account

Check the login history of exchange and bank accounts. If you find abnormal IP login, you need to change your password immediately and enable 2FA.

Check the transaction history of the encrypted wallet to confirm whether there are any abnormal transfers.

Check whether your social media account has been stolen. If there are abnormal private messages or posts, you need to change your password immediately.

5. Feedback to the official to prevent more users from being harmed

If you find that the plugin has been tampered with, you can contact the original development team or report it to Chrome.

You can contact the Slow Fog Security Team to issue a risk warning and remind more users to pay attention to safety. Although browser plug-ins can improve user experience, they may also become breakthroughs for hacker attacks, bringing the risks of data breaches and asset losses. Therefore, while enjoying the convenience, users also need to be vigilant and develop good safety habits, such as carefully installing and managing plug-ins, regularly checking permissions, timely update or remove suspicious plug-ins, etc. At the same time, developers and platforms should also strengthen security protection measures to ensure the security and compliance of plug-ins. Only when users, developers and platforms work together to improve security awareness and implement effective protective measures can risks be truly reduced and data and assets are guaranteed.