Read on Twitter
β οΈ A browser extension is always a double-edged sword.
In general, there isn't much to disagree with in what @panosmek has written in this fantastic thread, but here are few additional thoughts:
π§΅π [1/13]
In general, there isn't much to disagree with in what @panosmek has written in this fantastic thread, but here are few additional thoughts:
π§΅π [1/13]
https://twitter.com/panosmek/status/1652383985450770439
[2/13] Browser extensions in and of themselves can easily be the source of #exploits.
So, rather than securing your #browser session, increasing your #privacy, or acting as a warning tool before signing transactions, it may turn out to be your worst enemy.
So, rather than securing your #browser session, increasing your #privacy, or acting as a warning tool before signing transactions, it may turn out to be your worst enemy.
[3/13] β Attack Vectors β
π§ There are merely two malicious concepts that will be exploited by #hackers to harm you while using #browser extensions:
πΈ Supply-Chain attack
πΈ Man-in-the-middle attack
π§ There are merely two malicious concepts that will be exploited by #hackers to harm you while using #browser extensions:
πΈ Supply-Chain attack
πΈ Man-in-the-middle attack
[4/13] β 1β£ Supply-Chain Attack β
Supply-Chain attacks are a threat that targets software DEVs and providers.
The objective is to get access to source codes, build processes, or update mechanisms through infecting legitimate programs in order to distribute #malware
Supply-Chain attacks are a threat that targets software DEVs and providers.
The objective is to get access to source codes, build processes, or update mechanisms through infecting legitimate programs in order to distribute #malware
[5/13] β 2β£ Supply-Chain Attack β
In the case of #browser extensions, this means that the #hacker will tamper somewhere along the line of delivering updates or installing the extensions.
As an example, look at the following:
π wordfence.com/blog/2017/08/cβ¦
In the case of #browser extensions, this means that the #hacker will tamper somewhere along the line of delivering updates or installing the extensions.
As an example, look at the following:
π wordfence.com/blog/2017/08/cβ¦
[6/13] β 3β£ Supply-Chain Attack β
Another unfortunate example is when DEVs sell their extension product to other firms without informing you.
They may then decide to spread #malware or spy on you, and they may not have your best interests at heart.
π theregister.com/2021/01/07/greβ¦
Another unfortunate example is when DEVs sell their extension product to other firms without informing you.
They may then decide to spread #malware or spy on you, and they may not have your best interests at heart.
π theregister.com/2021/01/07/greβ¦
[7/13] β 1β£ Man-In-The-Middle Attack β
#MITM, which is used in combination with the supply chain attack, is the fact that the suspicious actor intercepts your #browser internet traffic.
In most situations, this is used to eavesdrop on or tamper with your network data.
#MITM, which is used in combination with the supply chain attack, is the fact that the suspicious actor intercepts your #browser internet traffic.
In most situations, this is used to eavesdrop on or tamper with your network data.
[8/13] β 1β£ Solutions β
In general, #browser providers have safeguards in place to protect users from these kind of browser #extension attacks, so don't worry, they're not as widespread as you may assume.
Nonetheless, I would never suggest using any browser extension.
In general, #browser providers have safeguards in place to protect users from these kind of browser #extension attacks, so don't worry, they're not as widespread as you may assume.
Nonetheless, I would never suggest using any browser extension.
[9/13] β 2β£ Solutions β
In general, when actively using a #wallet, you must be aware that a single incorrectly signed TX will probably drain your whole wallet.
Hence, my 1st advice is:
πΈ For heavy activity, use hot #wallets
πΈ For #EVM-based NFTs, use burner wallets
In general, when actively using a #wallet, you must be aware that a single incorrectly signed TX will probably drain your whole wallet.
Hence, my 1st advice is:
πΈ For heavy activity, use hot #wallets
πΈ For #EVM-based NFTs, use burner wallets
[10/13] β 3β£ Solutions β
Transferring low-value TXs initially is always suggested before moving larger amounts.
But please don't let this distract you from the reality that #vulnerabilities can be engineered to trigger only when specific parameters (values) are satisfied. π
Transferring low-value TXs initially is always suggested before moving larger amounts.
But please don't let this distract you from the reality that #vulnerabilities can be engineered to trigger only when specific parameters (values) are satisfied. π
[11/13] β 4β£ Solutions β
If you don't want to abandon #browser extensions, use them only to "check" the TX intent within a constrained environment known as a virtual machine.
"Checking" may be done quickly and easily with:
[1] sandboxie-plus.com
[2] github.com/sandboxie-plus/
If you don't want to abandon #browser extensions, use them only to "check" the TX intent within a constrained environment known as a virtual machine.
"Checking" may be done quickly and easily with:
[1] sandboxie-plus.com
[2] github.com/sandboxie-plus/
[12/13] β 5β£ Solutions β
The actual signature for the requested TX should only be submitted on a new operating system and browser.
As a result, my final advice is:
πΈ Purchase and utilize a #hardwarewallet.
πΈ Purchase and use a dedicated laptop.
πΈ Install no #extensions.
The actual signature for the requested TX should only be submitted on a new operating system and browser.
As a result, my final advice is:
πΈ Purchase and utilize a #hardwarewallet.
πΈ Purchase and use a dedicated laptop.
πΈ Install no #extensions.
[13/13] I hope you appreciated this 𧡠that sheds some light on some of the negative aspects of browser extensions. π
Please follow me here:
@krippenreiter π
Feel free to contribute by sharing here: π
Please follow me here:
@krippenreiter π
Feel free to contribute by sharing here: π
https://twitter.com/krippenreiter/status/1652487407726460928?s=20
@threadreaderapp unroll
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
