During the last days, a researcher discovered that the SafeBrowse Chrome extension is using the computer of its users to mine Monero (an alternative crypto currency similar to Bitcoin). With over 140000 users - most likely, this is the most popular (and probably the first one) Chrome extension mining a cyrpto currency without users’ consent. It is not the only one …
As of today (23rd of September 2017), there are at least 16 other extensions that apply the same technique without informing their users (and we found two extensions that use the same technique for raising money for charities.):
Id | User | Available | First Mining | Last Update | Category | Author | Wallet |
---|---|---|---|---|---|---|---|
jjc | 21109 | 02-01 | 09-20 | 09-21 | Shopping | A | u19 |
gmc | 14125 | 02-01 | 09-19 | 09-21 | Productivity | B | BPZ |
nnj | 7591 | 02-01 | 09-20 | 09-20 | Fun | C | m3a |
ajo | 4346 | 05-20 | 09-20 | 09-19 | Soc. & Com. | D | zzF |
beh | 3939 | 04-01 | 09-19 | 09-19 | Soc. & Com. | E | 7Jj |
ahb | 1782 | 04-26 | 09-19 | 09-19 | Soc. & Com. | G | YdH |
kdp | 941 | 02-23 | 09-20 | 09-20 | Soc. & Com. | H | Esa |
oem | 783 | 02-01 | 09-20 | 09-20 | Prod. | D | m3a |
lem | 348 | 02-01 | 09-20 | 09-20 | Shopping | I | yRG |
iln | 226 | 02-01 | 09-20 | 09-20 | Dev. Tools | J | FrY |
edk | 157 | 04-24 | 09-19 | 09-19 | Prod. | K | 4pH |
kil | 136 | 02-01 | 09-21 | 09-21 | Prod. | L | 4Qh |
eki | 28 | 04-24 | 09-19 | 09-19 | Fun | K | 4pH |
ioh | 19 | 07-12 | 09-19 | 09-20 | News & Weather | M | UJ6 |
nnh | 4 | 08-05 | 09-19 | 09-19 | Shopping | I | yRG |
mng | 0 | 09-20 | 09-20 | 09-20 | Dev. Tools | O | HZI |
In this table, we pseudonymized the extension id (first column), the author (seventh column), and the Monero wallet (last column). Moreover, we report the number of users (second column), when we detected the first as part of our research (third column), the first date (month and day, e.g., 02-01 is 2nd of February) at which we detected Monero mining code as part of the extension (fourth column), the date of the last update (fifth column), and the extension category (sixth column).
Before we dig into the details, let’s be clear: these are all extensions with a comparatively small user base: in total they have less than 56000 users (roughly 40% of the user base of SafeBrowse). Still, analyzing these extensions, as well as SafeBrowse, reveals some interesting insights:
As part of our security research of browser extension, we monitor extensions at least once every 24 hours. Thus, we have data to get more insights into the SafeBrowse incident as well as we are able to check other extension in the Chrome store easily.
First, let’s have a look at the data of SafeBrowse:
After the publication of the SafeBrowse incident, we analyzed checked the other extensions in the store. In total, we found 16 extensions that mine crypto currencies without user consent. The extensions have between 0 and 21109 users and are offered by various authors in various categories:
We also found two extensions that mine Monero on purpose - for supporting Charities. This allows users to donate “while browsing the web”. This is, of course, a legitimate use. Interestingly, they use the same mining code as the questionable extensions discussed in the previous section. These two legitimate extensions where published on September 18, respectively, September 22nd. While the one published on September 22nd is, most likely, inspired by the press coverage of the SafeBrowse incident, we cannot answer the question if the legitimate one published on September 18th inspired the misuse of SafeBrowse or not.
Of course, the final question to answer is “how much money can be made?” This question is not easy to answer. The people at Con Hive claim that ``with just 10–20 active miners on your site, you can expect a monthly revenue of about 0.3 XMR (~$27)’’. Let’s assume this means 20 active miners for 24 hours a day, for each day of the month. As the extensions mine whenever Chrome is showing a website, we might use the average time people spent on the Internet for our further analysis: let’s be optimistic and assume that each user of an extension mines for 120 hours a month (according the The Telegraph, teenagers use the Internet for more than 27 hours a week). This results in a revenue of ~$22000 for an extension with 100000 users. As the extensions need to mine in the background using as little resources as possible, the actual mining rate of these extensions are usually much lower and a more realistic revenue might be more in the area of a few thousand dollars. Still, if Google detects the misuse within less than 21 hours, the possible gains are negligible.
The most important take away is that the reporting mechanism for malicious extension seems to work rather quickly for widely used (more than 100k users) extensions. Still, for extensions with smaller a smaller use base it is more unlikely that sever changes in the intention of the extensions (e.g., after being hijacked) are detected quickly. Moreover, even after an extension was already banned from the store, new updates misusing the same approach can still be published in the Chrome store.
Finally, extensions are not only a juicy target for attackers that want to gain money from mining cryptocurrencies, they are also gateway for attacks on the security and privacy of browser users. Thus, to minimize the attack surface, we recommend installing as little extensions as possible and use the temporary profile feature of Chrome for testing. Of course, this does not help if a benign extension is hijacked and misused, as it seems to be the case for the extensions discussed in this blog post. Here there situation is much complex - and we will discuss this in future articles.
]]>