Original | Odaily Planet Daily

Author | Loopy Lu

Last weekend, a product that seemed far from the crypto world came into the crypto community’s view. The Bitcoin Browser, which is often used for “multi-opening” and “group control”, caused a large-scale theft of wallets, with the amount of damage reaching hundreds of thousands of dollars.

Before that, random number generators, smart contract programming languages, iOS/Android system risks, etc. have all caused large-scale security incidents. As the crypto world matures and becomes more complex, the security situation is becoming more and more daunting, and risks are quietly appearing in many places that are difficult for people to detect...

What is BitBrowser?

For most encryption users, the name of the product "Bit Browser" may be unfamiliar.

Its full name is "Bit Fingerprint Browser". According to its official website, the main function of this product is environment simulation, similar to the "sandbox" function, which can simulate different user tracking information in each window, including IP, device information, browser information, etc.

This series of functions mainly serves one goal: to simulate multiple users so that each "user" can have independent information. The browser even provides group control function.

The market audience of BitBrowser is mainly foreign trade e-commerce (such as Amazon, Shopee, etc.) and social media operations (Facebook, Tiktok, etc.). The slogan of its official website points out that "a BitBrowser can easily manage your cross-border business."

Although the product is not designed for crypto users, its features are just in line with the needs of the “wool party”. Therefore, a large number of “wool party” users have used the product.

There are many different opinions on the reasons for the theft

Recently, a group of members of the "LuMao" community found that their LuMao wallets were stolen. After self-investigation, the victims all believed that the theft was caused by the use of the BitFingerprint Browser, and the direct cause was the leakage of the private key.

The official BitFingerprint Browser responded immediately in the community: Some versions of WPS For Windows have a remote code execution vulnerability, which can be exploited by attackers to execute arbitrary code on the victim's target host and control the host. (What does WPS have to do with BitBrowser users? BitBrowser explained that since this vulnerability is easy to trigger, you may be attacked by hackers after clicking on an unknown link.)

And because the software is far away from the crypto world, it gave a ridiculous response for a while.

The initial response was widely circulated as a meme in the crypto community

The explanation given by BitBrowser undoubtedly failed to convince users. On August 26, BitBrowser followed up on the incident and issued an announcement stating that "the server cache data was hacked. Users who have enabled the "Extended Data Synchronization" function are at risk of having their wallets stolen. It is recommended to transfer wallet assets."

Who is to blame for safety accidents?

At the beginning of the incident, there were many different opinions about the cause of the theft.

In the MetaMask plug-in that we often use, the private key will not be saved in plain text. Therefore, hackers cannot gain control of user assets by relying solely on the user's local cache data.

In wallet transfers, in addition to the most common "Export" function, the "Backup" function is a less used function.

MetaMask's "Backup" feature

It should be noted that the "backup" function provided by MetaMask is completely different from exporting private keys/mnemonics. After the backup, the user can obtain a json file, which is also called a keystore. (Note from Odaily Planet Daily: A simpler explanation is: private key = mnemonics = wallet control = keystore + password)

The same applies to local cached data, so how was the user's wallet stolen?

After two days of analysis by all parties, the cause of the case was finally found out. The hacker obtained the user's extended cache by invading the server. (Note from Odaily Planet Daily: In this way, the hacker has the local data of the wallet, but cannot log in.) Then, the hacker brute-force cracked the wallet password by "trying to collide with common URL platform passwords" and then obtained wallet permissions.

Server records show that the server storing the extended cache had traces of being downloaded in early August (log records were as late as August 2), and several IP addresses have been locked, all of which are overseas addresses except one in Jiangsu. According to community members, the case has been accepted by the Changping Branch of the Beijing Public Security Bureau.

However, when we reviewed this incident, we found that it was difficult to clarify the responsibilities of all parties.

The first risk point is cache data leakage.

Some users questioned why the cached data was not encrypted? BitBrowser pointed out that when synchronizing the "extended data", the data transmission was encrypted. However, if the main program EXE file of the software is cracked by hackers, the hackers may be able to obtain the extended data.

However, relying solely on cached data cannot obtain user assets. Only the combination of "cached data + password" can gain control of the wallet. In daily use by users, it is normal to share passwords for multiple accounts. Passwords for our commonly used Web2 websites are also often leaked. Hackers may obtain passwords for other Web2 websites and try to "crash" on the user's Web3 wallet.

In addition, brute force cracking is also a possibility. Because the number of potential combinations of the unlock password is far less than that of the private key, brute force cracking the unlock password is completely feasible. (Assuming that the product does not introduce preventive measures such as locking the maximum number of failed attempts.)

From the user's perspective, BitBrowser took away the cache data of the plug-in and eventually caused the leak, which is indeed an unshirkable responsibility. However, the failure of the protection of the wallet access password also comes from the long-term deterioration of the network security environment.

Alternative infrastructure

For the software developer, we don’t know where the name “Bit” of “Bit Fingerprint Browser” comes from, but one thing is clear, this product is not created for the crypto world, it just happens to meet the needs of crypto users.

The more complex a system is, the more potential risk points it has, and any single point of error may bring the risk of intrusion.

Recalling the wild era of encryption, people only used the most basic Bitcoin wallets. At that time, there were no DeFi, cross-chain and other interactive links. As long as you keep your private key, it is safe enough.

But now, various off-chain auxiliary tools and on-chain fund pools have added additional risks. More and more products like BitBrowser are becoming a new alternative "infrastructure" in the crypto world. A large number of "non-encrypted" security risks are endangering the crypto world:

  • On August 21, hackers stole 3.13 million USDT. Security personnel believe that the theft was caused by the hacker's Android system album being hacked and obtaining a screenshot of the user's private key.

  • In early August, a huge amount of money was stolen from Curve. However, analysis at that time found that there was no problem with the security of Curve contracts, and the theft was caused by a vulnerability in its programming language vyper. Therefore, aleth, peth, mseth, and crveth pools were exploited.

  • In May, the synchronization function of Apple ID also caused a theft of more than 10 million US dollars. Many users will buy or use other people's US Apple IDs. The account owner can synchronize the local data of the wallet and gain control of the wallet by simply breaking the wallet access password. This is exactly the same as the theft of BitBrowser. The total amount of stolen funds from the victims exceeded 10 million US dollars.

  • On the developer side, the security situation is more complicated. In last year’s Solana wallet theft, the risk point came from the random code related to the underlying mnemonic generation.

As the crypto world becomes more complex, more and more tools, software, and services that are difficult for people to detect may be incorporated into the crypto world in the future, and the risks will also expand.

Odaily Planet Daily reminds you not to give your wallet's local data to others or over-authorize it. In addition, due to the hidden nature of the risk, please be cautious when using electronic means to save private keys/mnemonics. Do not install too much unknown software on computers that frequently perform encryption operations.

Related Reading

"Hacking incidents occur frequently, please accept this Crypto theft prevention guide"