Blockchain security firm SlowMist released a detailed report exposing a critical vulnerability in SwitchyOmega, a widely used Chrome proxy-switching extension, highlighting its potential to steal users’ private keys.
The report from SlowMist unveils a tampering incident that compromised user security, traces its origins, and offers actionable steps to mitigate risks.
With over 500,000 users potentially affected, this case underscores the persistent dangers of malicious browser extensions.
SlowMist’s investigation traces the issue back to December 24, 2024, when a Cyberhaven employee fell prey to a phishing email.
The email, masquerading as a Google policy violation notice, tricked the employee into authorizing a fraudulent OAuth application named “Privacy Policy Extension.”
This granted attackers remote access to Cyberhaven’s account, enabling them to inject malicious code into the SwitchyOmega extension (version 3).
The compromised code was designed to harvest sensitive data—browser cookies, passwords, and, critically, cryptocurrency wallet private keys—uploading it to an attacker-controlled server.
SlowMist notes that this wasn’t an isolated event; similar warnings about SwitchyOmega surfaced in 2024, yet many users continued using outdated or tampered versions, amplifying the risk of account takeovers.
The report situates this incident within a larger trend of extension tampering.
An independent investigation by Booz Allen Hamilton, referenced by SlowMist, revealed that over 30 Chrome Web Store extensions, including SwitchyOmega V3, had been similarly compromised.
The attackers exploited OAuth’s inherent risk: once authorized, they could alter application data without further credentials.
This breach began with a phishing email that leveraged urgency and legitimacy to deceive its target, a tactic SlowMist warns is increasingly common.
The tampered SwitchyOmega extension, updated to version 24.10.4, was silently distributed to users, who unknowingly installed the malicious payload.
SlowMist’s analysis reveals how the malicious code operated.
Unlike the official SwitchyOmega V2, phased out due to Chrome’s V2 extension policy shift, the V3 version bore a different developer ID, raising questions about its legitimacy.
Whether this stemmed from a hacked account or intentional malice remains unclear.
The code targeted cryptocurrency users, extracting their private keys and mnemonic phrases—crucial for wallet access—posing a direct threat to digital assets.
With SwitchyOmega’s extensive user base, the potential scale of financial loss is staggering, echoing past incidents like the 2021 Anyswap protocol breach tied to weak ECDSA signatures.
SlowMist emphasizes proactive prevention. Users should verify extension IDs against official versions (e.g., V2’s legitimate ID) and immediately remove or update suspect extensions.
The firm advises downloading only from trusted sources like the Chrome Web Store, avoiding third-party sites, and scrutinizing permissions during installation. However, even reputable sources can unintentionally provide access to malicious software – which can lead to users’ information being compromised and funds being stolen. That’s why it is always best to remain vigilant at all times.
Regular audits of installed extensions, coupled with robust antivirus software, are recommended to detect anomalies.
For developers, SlowMist suggests stricter OAuth security and supply chain safeguards to prevent such exploits.
The SwitchyOmega incident, as detailed by SlowMist, is a stark reminder of browser extensions’ dual nature—convenient yet vulnerable. Moreover, there are many types of software that collect user data and whenever there’s a security breach, sensitive customer details get leaked.
As cyber threats evolve, user vigilance and developer accountability are critical to safeguarding the digital ecosystem, particularly for cryptocurrency holders.
This report urges immediate action to close these security gaps before more fall victim. In the past few years, these types of attacks have become increasingly sophisticated, leading to large losses for many vulnerable users. It’s always a good idea to be extra careful and not rush into installing any extension or plug-in hastily. This can expose a device to a wide range of security vulnerabilities.