12 March 2016 – A popular browser plugin for Chrome was found to be surreptitiously stealing Bitcoin from its users today. The add-on’s exploit was discovered by the people at Bitstamp, and confirmed by developer Devon Weller. Bitstamp followed the discovery with an announcement on Twitter warning users to uninstall the plugin and let other’s know about its malicious code. The add-on is called “BitcoinWisdom Ads Remover” and it marks the first serious Bitcoin exchange security breach that doesn’t rely on targeting the central service as a point of failure.
Social Engineering Steals Bitcoin, No Virus Needed
BitcoinWisdom Ads Remover works without implementing traditional malware, allowing their exploit to compromise systems outside of the Windows ecosystem, as long as the victim has their add-on installed on chrome. The attack relies on social engineering and implements as sort of pseudo-man-in-the-middle attack. It works by replacing QR codes on popular exchanges (including Bitstamp) with fake QR codes that direct the user’s Bitcoin into the attacker’s wallets, a method similar to the one used by ATM skimmers. The add-on isn’t recognized by malware protection programs because it isn’t stealing information with viruses or things security programs typically look for, and the add-on’s behavior looks normal within the browser as well.
Because users aren’t likely to recognize the QR code as not corresponding to the correct address on the exchange, and the Ad-Blocking add-on otherwise works as intended, this simple social engineering technique has proven very effective without raising suspicion. That is, until the user starts hemorrhaging cryptocurrency. While this malware add-on doesn’t bypass the Blockchain’s security or compromise the Exchanges it affects, it raises questions about how we should be securing the convenience-oriented features that make Bitcoin transactions easier.
A lot of progress has been made towards making Bitcoin easier to use for the average person, but this security breach, that relies on an incredibly simple concept, exposed a lot of flaws in how we think about Bitcoin security. QR codes, zero confirmation transactions, and other off-chain features that make Bitcoin more convenient to use have multiple flaws in implementation that make them insecure. Bitcoin-based businesses should start putting more thought into features like cryptographical signing and redundant authentication to help secure their convenience-oriented features to protect them from malware and social engineering.
What should Bitcoin Exchanges and Applications do to patch holes in security like this? Let us know in the comments!