How to Recover Your Browser Wallet Extension from a Sudden Failure?

Author: Lisa & Aro
Editor: Liz

In today’s internet environment, threats like malware, viruses, phishing attacks, and more are constantly emerging. Installing antivirus software (such as AVG, Bitdefender, Kaspersky, Malwarebytes, and other internationally recognized products) can help users protect against malicious programs and improve system security. However, antivirus software provides basic protection, reducing risks but not guaranteeing absolute security. The fight against threats is a dynamic process, and installing antivirus software is just the first step in enhancing security. At the same time, antivirus software itself may generate false positives, creating additional risks.

Recently, some users reported that after installing antivirus software, certain browser extensions (especially cryptocurrency wallet extensions) were falsely flagged as malware, resulting in the isolation or deletion of the extension’s JavaScript files, which ultimately led to the wallet extension being damaged and unusable.

For Web3 users, this situation is particularly serious, as cryptocurrency wallet extensions typically store private keys. Improper handling could lead to wallet data loss, and in some cases, the inability to recover assets. Therefore, understanding how to properly restore extensions flagged as false positives is crucial.

How to Handle It?

If you find that antivirus software has caused damage to a browser extension due to a false positive, it is recommended to follow these recovery steps:

1. Restore Files from the Quarantine, Do Not Uninstall the Extension

If you find that an extension is not working, first check the antivirus software’s “Quarantine” or “History” to look for the falsely flagged files. Do not delete the quarantined files.

• If the files are still in the quarantine, choose “Restore” and add the file or extension to the trusted list to prevent future false positives.
• If the files have already been deleted, check if there are automatic backups or use data recovery tools to recover them.
• Remember: Do not uninstall the extension! Even if the extension is damaged, local files related to encrypted private keys may still exist, which could allow for recovery.

2. Backup and Locate Local Extension Data

Extension data is usually stored on the local disk. Even if the extension cannot open, you may still find the relevant data to restore it (using MetaMask’s extension ID as an example: nkbihfbeogaeaoehlefnkodbefgpgknn):

• Windows path reference:
  C:\Users\USER_NAME\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
• Mac path reference:
  ~/Library/Application Support/Google/Chrome/Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn

If Chrome is configured with multiple accounts, the “Default” directory might be renamed to “Profile 1/Profile 2”. You need to check the specific Profile directory and adjust the path accordingly. It is recommended to back up the entire directory of the target extension as soon as possible for recovery in case of issues.

3. Brute Force Recovery Method: Overwrite the Local Extension Directory

If a false positive has caused extension damage, the most direct method is to overwrite the backup extension data into the corresponding local extension directory on a new computer or browser environment, and then reopen the extension.

4. Advanced Recovery Method: Manually Decrypt Private Key Data

If the extension still cannot open or data is missing, you can attempt a more advanced recovery method, such as manually decrypting the private key data for recovery. Using MetaMask as an example:

• Search for the MetaMask extension ID on your local machine and find the following directory:
  C:\Users\[User]\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
• This directory may contain ldb/log files, which store encrypted private key data. You can use MetaMask’s official Vault Decryptor tool (https://metamask.github.io/vault-decryptor/) to decrypt.
• Decryption steps:

Open the MetaMask Vault Decryptor tool; Copy the encrypted contents from the ldb/log file; Use the original password to decrypt;Once the private key is obtained, re-import the wallet.

If the MetaMask extension can still open certain pages (such as chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/home.html), you can try running the following code to retrieve encrypted private key data:

chrome.storage.local.get('data', result => {
  var vault = result.data.KeyringController.vault;
  console.log(vault);
});

Then, copy the vault data into the MetaMask Vault Decryptor tool for decryption.

5. Write Custom Recovery Tools

If the above methods cannot recover wallet data, users can write their own scripts to extract extension data from local database files and decrypt it. Using PhantomKeyRetriever as a template, the underlying principles and implementation for developing recovery tools for different wallets are as follows:

Wallet plugins typically store sensitive data in local system databases or files. Browser extension wallets (such as Phantom, MetaMask, etc.) use the browser’s storage API to store encrypted data in the local storage area, typically using LevelDB or IndexedDB. Regardless of the wallet type, a key principle is that data is always stored in an encrypted format to ensure that even if the data is copied, it cannot be accessed without the correct password.

Most cryptocurrency wallets use a multi-layer encryption architecture for enhanced security. The user’s master password is used to encrypt an intermediate key (often called the “encryption key” or “decryption key”). This intermediate key is then used to encrypt the actual private key or mnemonic phrase. This design ensures that even if the wallet application’s code is tampered with, the attacker would still need the user’s password to obtain the private key. This multi-layer design also allows the wallet application to only decrypt the intermediate key after the user logs in, without requiring the master password for every operation.

The process of writing a wallet recovery tool typically includes:

• Locating and extracting encrypted data (reading from LevelDB/IndexedDB).
• Analyzing the data structure to identify encrypted private keys/mnemonics.
• Prompting the user for their wallet password and calculating the decryption key using a KDF (such as PBKDF2 or Scrypt).
• Decrypting the intermediate key, and then decrypting the private key/mnemonic.

This process requires precise knowledge of the wallet’s encryption scheme and data storage format, which often requires reverse engineering or analyzing the wallet’s open-source code.

For the PhantomKeyRetriever tool, it is a script designed to extract Phantom wallet mnemonic phrases or private keys from Chrome browser data. SlowMist has open-sourced this tool on GitHub (https://github.com/slowmist/PhantomKeyRetriever), and its core principles are as follows:

• Read Chrome LevelDB database and copy relevant data to a temporary directory.
• Traverse the database to find the encrypted keys and wallet seed information stored by Phantom.
• The user inputs the Phantom password, and the script uses PBKDF2/Scrypt to calculate the decryption key.
• Decrypt the wallet vault data, extract BIP39 mnemonics or Base58 private keys.

During this dual decryption process, the script supports both PBKDF2 and Scrypt key derivation functions, and uses the NaCl library’s SecretBox for secure decryption. Ultimately, based on the decrypted data type, the script will generate BIP39 standard mnemonics or extract the Base58-encoded private key.

Note: Other browsers that support extension wallets (such as Edge and Firefox) follow similar principles, which are not elaborated here.

How to Prevent It?

To reduce the risk of false positives, users can take the following precautions:

• Regularly back up important files and browser extension data so that they can quickly recover in case of a false positive.
• Manually add trust rules in the antivirus software. For important software or extensions (such as MetaMask), you can manually add them to the trusted list to prevent false positives.
• Download software from official channels to avoid installing unofficial or modified versions of applications, which may increase the likelihood of being flagged by antivirus software as a potential risk.

Conclusion

The fight against threats is always a dynamic process, and security strategies must constantly be adjusted. Installing antivirus software is important, but ultimately, users are the last line of defense for their assets. When encountering false positives, users should remain calm and avoid deleting critical files directly, and instead adopt appropriate recovery measures. Only by mastering the right security knowledge can users truly protect their data security.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.