Browser extensions can help fraudsters steal your bitcoins: Casa CEO



[ad_1]

Browser extensions can help fraudsters steal your crypto Jeremy Welch, CEO of Casa, warned the audience at the Baltic Honeybadger conference in Riga this weekend.

"Browser extensions impose major risks, and these risks have not yet been addressed," said Welch.

Extensions can collect a multitude of data, which can be disclosed, stolen and used by fraudsters. Browser history, for example, can expose users' online habits, including site visits related to cryptography.

"Make sure you do not expose your Bitcoin addresses anywhere," Welch warned.

Another thing to keep in mind is that some extensions capture users' KYC information and can pass it on to fraudsters. The only major multisig system requiring KYC at the moment is that provided by Unchained Capital, said Welch. He warns against commonly used consumer software that collects identity data.

As an example, Welch demonstrated that an extension providing screen funds with inspirational quotes or other content was actually stealing data when filling in KYC forms. The malware stole graphical data, such as a photo of your driver's license, which is captured in code and easily decoded, providing a real image of your identity document to hackers.

Silent data theft

All this is happening on the bottom, without the user noticing it.

"You have a good background here and you do not realize that your browser is actually dumping data," said Welch.

The same wallpaper extension can change a receiving address when you try to send your crypto to someone else (or yourself), instead sending it to a fraudster's wallet. The ubiquity and popularity of browser extensions make the situation very dangerous, Welch said:

"It's terrifying, is not it? We all use browser extensions all the time. "

Even if a user is very cautious and selective in what they use, the software can be upgraded and offer new insecure features without the consumer noticing it, Welch added.

Welch noted that many well-known applications require sufficient permissions to collect personal data, including password managers, a Grammarly text editing application, a Joule extension for browser-based lighting transactions, the Sats de Casa extension and the Lolli bitcoin extension.

The solution? There is no easy solution, says Welch. Developers can only continue to create better tools that will make the user experience safer and better.

"We all need to discuss these issues further because we are not yet in the phase where real attacks will take place."

Welch added that Casa plans to publish more security research in the near future and has encouraged Bitcoin developers and entrepreneurs to contact the company and share their concerns and ideas on how to solve security problems.

Image of Jeremy Welch by Anna Baydakova for CoinDesk

[ad_2]

Source link