Google plug-in has another risk incident: SwitchyOmega was exposed to stealing private keys. How to prevent plug-in from being tampered with?
Reprinted from panewslab
03/13/2025·6DAuthor: Lisa & Yao
Editor: Liz
Recently, some users have reported that SwitchyOmega, a well-known Chrome proxy switch plug-in, has the risk of stealing private keys.
After analysis, it was found that this security problem was not the first time it had occurred, and there were related safety reminders as early as last year. However, some users may not notice the warning and are still using the tainted version of the plug-in, thus facing serious risks such as private key leakage and account hijacking. This article will analyze the situation where the plug-in was tampered with this time, and explore how to prevent plug-in tampering and deal with malicious plug-ins.
Event Review
The earliest disclosure of this incident originated from an attack investigation [1]. On December 24, 2024, a Cyberhaven employee was subjected to a phishing email attack, causing the browser plug-in he published was injected with malicious code, trying to steal cookies and passwords from the user's browser and upload them to the attacker's server. Cyberhaven invited Booz Allen Hamilton to conduct an independent investigation. Booz Allen Hamilton pointed out in the Threat Intelligence Report [2] that more than 30 plug-ins in the Google Plugin Mall have suffered the same attack, including Proxy SwitchOmega (V3).
Phishing email claims that the browser extension released by Cyberhaven violates Google's terms and threatens that the plug-in will be revoked if no immediate action is taken. Out of urgency, the employee clicked on the phishing link in the email and authorized an OAuth app called "Privacy Policy Extension". The core risk of OAuth is that once an attacker obtains access to the OAuth application, he can remotely control the victim's account and modify the application data without a password. The following image shows the OAuth authorized phishing email interface forged by the attacker.
After gaining control of Cyberhaven's Chrome app store account, the attacker uploaded a new version extension containing malicious code and used Chrome's automatic update mechanism to allow affected users to automatically update to the malicious version without knowing it (version number 24.10.4, hash value DDF8C9C72B1B1061221A597168F9BB2C2BA09D38D7B3405E1DACE37AF1587944).
The malicious plugin contains two files, where the worker.js file connects to the Command & Control (C&C) server, downloads the configuration and stores it in Chrome's local storage. It then registers the listener to events from content.js. The malicious version of the Cyberhaven extension (24.10.4) was launched on December 25 at 1:32 am (UTC) and was removed at 2:50 am (UTC) on December 26 for a total of 31 hours. During this time, the Chrome browser running the extension will automatically download and install malicious code.
Booz Allen Hamilton 's investigation report pointed out that these attack-affected plugins have accumulated more than 500,000 downloads on Google Store, and sensitive data has been stolen from more than 2.6 million user devices, posing a huge security risk to users. These tampered extensions have been available for up to 18 months on the Google Chrome app store, and victims are almost unable to detect that their data has been leaked during this period.
(Affected Chrome plugin list and user statistics [3])
Since the Chrome Store update strategy gradually does not support V2 version plug-ins, and the official original version of SwitchyOmega [4] plug-ins are V2 versions, they are also within the unsupported range.
The contaminated malicious version [5] is the V3 version, and its developer account is not the same as the original V2 version. Therefore, it is impossible to confirm whether the version was officially released, nor can it be determined whether the official account was uploaded after being hacked, or whether the author of the V3 version had malicious behavior.
The Slow Fog Security Team recommends that users check the ID of the installed plugin to confirm whether it is the official version. If you find that the affected plug-in is installed, you should update to the latest security version immediately or remove it directly to reduce security risks.
How to prevent plugins from being tampered with?
Browser extensions have always been a weak link in network security. In order to avoid plug-ins being tampered with or downloaded to malicious plug-ins, users need to protect security from three aspects: installation, use and management.
1. Download plugins only from official channels
-
Priority is given to using the official Chrome store, and do not trust third-party download links on the Internet.
-
Avoid using unproven "cracked" plugins, many modified plugins may have been implanted in the backdoor.
2. Beware of plug-in permission requests
-
Grant permissions with caution, and some plug-ins may request unnecessary permissions, such as accessing browsing history, clipboard, etc.
-
When plug-ins require you to read sensitive information, be vigilant.
3. Regularly check for installed plugins
-
Enter chrome://extensions/ in the Chrome address bar to view all installed plugins.
-
Pay attention to the latest update time of the plug-in. If the plug-in has not been updated for a long time and a new version is suddenly released, you need to be wary of the possibility of being tampered with.
-
Regularly check the developer information of the plug-in. If the plug-in is replaced by the developer or the permissions change, be vigilant.
4. Use MistTrack to monitor fund flows to prevent asset losses
- If you suspect that the private key is leaked, you can use MistTrack to monitor the on-chain transactions to promptly understand the flow of funds.
For the project party, as the developer and maintainer of plug-ins, stricter security measures should be taken to prevent risks such as malicious tampering, supply chain attacks, and OAuth abuse:
1. OAuth Access Control
- Limit the scope of authorization and monitor the OAuth log. If the plug-in needs to use OAuth for authentication, try to use the Short-lived Token + Refresh Token mechanism to avoid long-term storage of high-permission tokens.
2. Enhance Chrome Web Store account security
- Chrome Web Store is the only official release channel for plug-ins. Once the developer's account is compromised, the attacker can tamper with the plug-in and push it to all user devices. Therefore, account security must be enhanced, such as enabling 2FA and using minimum permission management.
3. Regular audit
- The integrity of the plug-in code is the core of the project party's tamper-proof, and it is recommended to conduct regular security audits.
4. Plug-in monitoring
- The project party not only needs to ensure the security of the released new version, but also needs to monitor in real time whether the plug-in has been hijacked. If problems are found, remove the malicious version as soon as possible, issue a security announcement, and notify users to uninstall the infected version.
**How to deal with plugins that have been implanted with malicious
code?**
If you find that the plugin has been infected with malicious code, or you suspect that the plugin may be at risk, the following measures are recommended:
1. Remove the plugin now
-
Go to the Chrome extension management page (chrome://extensions/) and find the affected plug-in to remove.
-
Completely clear plug-in data to prevent residual malicious code from continuing to run.
2. Change sensitive information that may be leaked
-
Change all saved passwords in your browser, especially those involving cryptocurrency exchanges, bank accounts.
-
Create a new wallet and transfer assets securely (if the plugin accesses the crypto wallet).
-
Check whether the API Key is leaked, and immediately revoke the old API Key and apply for a new key.
3. Scan the system to check for backdoors or malware
-
Run antivirus or anti-malware tools (such as Windows Defender, AVG, Malwarebytes).
-
Check the Hosts file (C:\Windows\System32\drivers\etc\hosts) to make sure it has not been modified to the malicious server address.
-
Check out the browser's default search engine and homepage, and some malicious plugins will tamper with these settings.
4. Monitor the account for abnormal activities
-
Check the login history of the exchange and bank accounts. If you find abnormal IP login, you need to change your password immediately and enable 2FA.
-
Check the transaction history of the encrypted wallet to confirm whether there are any abnormal transfers.
-
Check whether your social media account has been stolen. If there are abnormal private messages or posts, you need to change your password immediately.
5. Feedback to the official to prevent more users from being harmed
-
If you find that the plugin has been tampered with, you can contact the original development team or report it to Chrome.
-
You can contact the Slow Fog Security Team to issue a risk warning and remind more users to pay attention to safety.
Although browser plug-ins can improve user experience, they may also become breakthroughs for hacker attacks, bringing the risk of data breaches and asset losses. Therefore, while enjoying the convenience, users also need to be vigilant and develop good safety habits, such as carefully installing and managing plug-ins, regularly checking permissions, timely update or remove suspicious plug-ins, etc. At the same time, developers and platforms should also strengthen security protection measures to ensure the security and compliance of plug-ins. Only when users, developers and platforms work together to improve security awareness and implement effective protective measures can risks be truly reduced and data and assets are guaranteed.
Related links
[3]https://www.extensiontotal.com/cyberhaven-incident-live
[4] https://chromewebstore.google.com/detail/proxy-switchyomega/padekgcemlokbadahgkifijomclgjgif
[5]https://chromewebstore.google.com/detail/proxy-switchyomega-v3/hihblcmlaaademjlakdpicchbjnnnkbo
