SwitchyOmega Exposed for Stealing Private Keys: How to Protect Against Plugin Tampering?

8 min read3 hours ago

Authors: Lisa & Reborn
Editor: Liz

Recently, users have reported that the well-known Chrome proxy switching extension, SwitchyOmega, poses a risk of private key theft.

Upon analysis, this security issue is not new. Similar warnings were issued as early as last year, but some users may have overlooked them and continued using compromised versions of the extension, putting themselves at risk of private key leaks and account takeovers. This article will examine the recent plugin tampering incident and discuss how to prevent and mitigate the risks associated with malicious extensions.

Incident Review

The first disclosure of this incident originated from an attack investigation [1]. On December 24, 2024, a Cyberhaven employee fell victim to a phishing email attack, leading to the injection of malicious code into their published browser extension. The malicious code attempted to steal users’ browser cookies and passwords, uploading them to the attacker’s server.

Cyberhaven engaged Booz Allen Hamilton for an independent investigation. Booz Allen Hamilton’s threat intelligence report [2] highlighted that over 30 extensions in the Google Chrome Web Store had suffered similar attacks, including Proxy SwitchyOmega (V3).

The phishing email falsely claimed that Cyberhaven’s browser extension violated Google’s policies and threatened removal unless immediate action was taken. Feeling the urgency, the employee clicked on the phishing link and authorized an OAuth application named “Privacy Policy Extension.”

The core risk of OAuth lies in the fact that once attackers gain access to an OAuth application, they can remotely control the victim’s account, modifying application data without requiring a password. The image below shows the phishing email interface used by attackers to spoof OAuth authorization.

After gaining control of Cyberhaven’s Chrome Web Store account, the attackers uploaded a new version of the extension containing malicious code. They then leveraged Chrome’s automatic update mechanism, causing affected users to unknowingly update to the compromised version (Version 24.10.4, hash: DDF8C9C72B1B1061221A597168F9BB2C2BA09D38D7B3405E1DACE37AF1587944).

The malicious extension contained two files, one of which, worker.js, connected to a Command and Control (C&C) server, downloaded configuration data, and stored it in Chrome’s local storage. It then registered a listener to monitor events from content.js. The malicious version (24.10.4) of the Cyberhaven extension went live on December 25 at 01:32 UTC and was taken down on December 26 at 02:50 UTC, remaining active for a total of 31 hours. During this period, any Chrome browser running the extension automatically downloaded and installed the malicious code.

The investigation report by Booz Allen Hamilton revealed that the compromised extensions had a combined total of over 500,000 downloads from the Google Chrome Web Store. Sensitive data from more than 2.6 million user devices was stolen, posing a significant security risk to users. Some of these compromised extensions remained available in the Chrome Web Store for as long as 18 months, during which affected users had little to no indication that their data had been exposed.

(Affected Chrome extensions list and user statistics [3])

Due to Chrome Web Store’s update policy gradually phasing out support for V2 extensions, the official original version of SwitchyOmega [4] is also affected as it falls under the unsupported category.

The compromised malicious version [5] is a V3 extension, and its developer account is different from that of the original V2 version. As a result, it is unclear whether this version was officially released or if the official account was hacked and used to upload the malicious version. It is also uncertain whether the author of the V3 version had malicious intent from the beginning.

The SlowMist security team recommends that users check the installed extension IDs to confirm whether they match the official version. If an affected extension is detected, users should immediately update to the latest secure version or remove it entirely to reduce security risks.

How to Prevent Plugin Tampering?

Browser extensions have long been a weak link in cybersecurity. To avoid using tampered or malicious plugins, users should take security precautions in three key areas: installation, usage, and management.

1. Download Extensions Only from Official Sources

Always use the official Chrome Web Store and avoid third-party download links found online.
Do not install “cracked” or modified versions of extensions, as these often contain hidden backdoors.

2. Be Cautious of Permission Requests

Grant permissions carefully — some extensions may request excessive access, such as browsing history or clipboard data.
If an extension requests access to private keys, wallet addresses, or other sensitive information, exercise extreme caution.

3. Regularly Review Installed Extensions

Open chrome://extensions/ in Chrome’s address bar to inspect all installed extensions.
Pay attention to recent update dates. If an extension that hasn’t been updated for a long time suddenly releases a new version, be wary of possible tampering.
Regularly check the extension’s developer information. If the developer or permissions have changed, consider it a potential red flag.

4. Use MistTrack to Monitor Fund Movements and Prevent Asset Loss

If you suspect a private key leak, use MistTrack to monitor on-chain transactions and track fund movements in real time.

For project teams, as the developers and maintainers of browser extensions, stricter security measures should be implemented to prevent risks such as malicious tampering, supply chain attacks, and OAuth abuse:

1. OAuth Access Control

Restrict authorization scopes and monitor OAuth logs.
If OAuth is required for authentication, adopt a short-lived token + refresh token mechanism instead of storing high-privilege tokens for extended periods.

2. Enhance Chrome Web Store Account Security

The Chrome Web Store is the sole official distribution channel for extensions. If a developer account is compromised, attackers can tamper with extensions and push malicious updates to all users. Strengthen account security by enabling two-factor authentication (2FA) and applying the principle of least privilege to minimize access rights.

3. Regular Security Audits

Code integrity is critical for preventing unauthorized modifications. Conduct regular security audits to ensure the extension remains untampered.

4. Extension Monitoring

Beyond securing new releases, project teams should continuously monitor their extensions for signs of hijacking. If an issue is detected, immediately remove the malicious version, publish a security notice, and notify users to uninstall the compromised version.

How to Handle a Compromised Plugin?

If a browser extension is found to contain malicious code or is suspected of being compromised, users should take the following steps to mitigate risks:

1. Immediately Remove the Plugin

Open the Chrome extension management page (chrome://extensions/), locate the affected plugin, and remove it.
Completely clear extension data to prevent any residual malicious code from running.

2. Change Potentially Compromised Sensitive Information

Reset all saved passwords in your browser, especially for cryptocurrency exchanges and banking accounts.
Create a new crypto wallet and transfer assets securely if the extension had access to your wallet.
Check API keys for potential leaks, revoke old ones, and generate new secure keys.

3. Scan the System for Backdoors or Malware

Use antivirus or anti-malware tools such as Windows Defender, AVG, or Malwarebytes to scan for threats.
Inspect the Hosts file (C:\Windows\System32\drivers\etc\hosts) to ensure it hasn't been modified to redirect to malicious servers.
Check browser settings, including the default search engine and homepage, as some malicious extensions alter these configurations.

4. Monitor Accounts for Suspicious Activity

Review login history for exchanges and banking accounts. If unfamiliar IP logins are detected, change passwords immediately and enable 2FA.
Check crypto wallet transactions to ensure no unauthorized transfers have occurred.
Inspect social media accounts for unusual activity, such as unauthorized messages or posts, and change passwords if needed.

5. Report to Authorities to Prevent Further Damage

If an extension is found to be compromised, report it to the original development team or submit a complaint to Google Chrome Web Store.
Contact SlowMist Security Team to issue an alert and warn more users about the security threat.

Browser extensions can enhance user experience, but they can also become entry points for hackers, leading to data breaches and asset losses. Therefore, while enjoying the convenience, users must remain vigilant and develop good security habits, such as carefully installing and managing extensions, regularly reviewing permissions, and promptly updating or removing suspicious extensions.

At the same time, developers and platform providers should also strengthen security measures to ensure the safety and compliance of extensions. Only through the joint efforts of users, developers, and platforms — by raising security awareness and implementing effective protection measures — can risks be truly reduced, safeguarding both data and assets.

References

[1]https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension

[2]https://cdn.prod.website-files.com/64deefeac57fbbefc32df53d/678690faf3f050d53afc810a_FINAL_Cyberhaven_Threat%20Intelligence%20Briefing%20%5B2025-01-13%5D.pdf

[3]https://www.extensiontotal.com/cyberhaven-incident-live

[4]https://chromewebstore.google.com/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif

[5]https://chromewebstore.google.com/detail/proxy-switchyomega-v3/hihblcmlaaademjlakdpicchbjnnnkbo

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.