Njengoba ungathanda, ungakwazi ukufinyelela amawebhu ngenxa ye-web browser software, ezifana ne-Chrome noma i-Firefox. Ngaphezu kwalokho, ngaphakathi le software, ama-browser extensions zihlanganisa ama-add-ons amancane abalandeli yakho, njenge-blocking ama-advertisements, ukugcina ama-passwords, noma ukulawula ama-crypto funds akho nge-wallet enhle. I-MetaMask iyona, ngokuvamile, i-crypto browser extension eningi, kodwa kunezinye eziningi ezinxulumene ne-industry; kusuka ku-security features kuya ku-trading features.
Izinzuzo ze-browser zokusebenza cishe konke, futhi zinikeza izinzuzo ezingaphezu kokwenza lokhu ngaphandle kokufaka ku-web browser yethu. Ngokuya ku-April 2025,
Kodwa kungase kufinyelela ngentengo ephakeme.
I-General Risks
Yonke umuntu angakwazi ukwakha isifinyezo esitsha futhi isicelo yokubhalisa emakethe zomthetho noma ukunikezela ngokufanayo. Ngakho-ke ama-cybercriminals bafumana ama-victims yabo. Izifinyezo ezihambelana nezinhlangano zangaphakathi ziye zisetshenziselwa ukulanda i-cryptocurrencies, ukulanda ama-accounts ye-social media, kanye nokuhambisa abasebenzisi. Abacwaningi abacwaningi abanikeze lezi zixhobo njenge-add-ons ezisebenzayo, okwenza kuhlobonakalayo ngaphambi kokwenza ukuphazamiseka.
Ngaphezu kwama-extensions ezivamile zihlanganisa izicelo ezininzi. Zihlanganisa izinto ezifana nokuguqulwa zonke izindawo zewebhu, ukulawula interface yayo, noma uketshezi noma iyiphi ikhodi.With such intrusive permissions granted to all extensions, every piece is, by design, spyware, with the vast majority of them being well-intentioned spyware.Uma i-malware, i-extension ingathola i-keystrokes ukuchithwa ama-passwords, ukuchithwa ama-advertisements, noma ngisho ukuchithwa ama-address ye-cryptocurrency ngexesha le-transactions.
I-attackers sinikeza ama-versions ezihambayo ze-extensions ezihambayo (kuba kukhona ama-versions ezihambayo ze-MetaMask, isibonelo), okukhuthaza abasebenzisi ukufaka isofthiwe esithambile esithambayo idatha - noma izindleko. Futhi ama-extensions ezihambayo zingangena emangalisayo uma ifakwe kumakhasimende omtsha owenziwe nge-code emibi.
Nangona ama-extension stores asebenzayo ukucubungula ama-threats, ama-actors eqinile akuyona izindlela. Ezinye ama-extensions baye zihlanganisa iminyaka eminyakeni ngaphambi kokufika, okuphindaphinda ama-millennial abasebenzisi. Amasikhethela zihlanganisa ama-add-ons eqinile ngaphandle kwezi-stores, zihlanganisa nge-content e-pirated noma ama-phishing amakethe. E-phishing emangalisayo, isixazululo ayikho kuphela isixhobo – kuyinto inguqulo esizayo yokutholukwa kwebhizinisi lwezemali kanye nomphakathi.
Izinzuzo ezithakazelisayo
Ngo-2023 kuphela, izixazululo eziningi ze-Chrome zangaphakathi zangaphakathi zihlanganiswa yi-cybersecurity firm
Lokhu ukucindezeleka ngokusebenzisa izindlela ezingenalutho, kuhlanganise ukulayisha amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi amabhokisi.
Okunye ama-extensions ezinzima ukuchitha ama-accounts e-intanethi. I-Fake ChatGPT plugins njenge-"ChatGPT for Google" ne-"Quick Access to Chat GPT" zihlanganisa ama-accounts e-Facebook yebhizinisi ngokufaka ama-session cookies. Ama-attackers abasebenzisa ama-accounts eyenziwe ukuze zihlanganise ama-malware yabo, ukuqinisekisa ukuchithwa okuqhubekayo. Ngesikhathi eside, abasebenzisi e-Roblox baye zihlanganisa ama-extensions ezifana ne-SearchBlox, i-RoFinder, ne-RoTracker, okuyinto zihlanganisa izinsiza ze-in-game.
Overall, more than 87 million downloads of malicious extensions were recorded.Zonke izixhobo ziye zihlanganisa njengezixhobo ezijwayelekile, njenge-PDF converters ne-ad blockers, zihlanganisa abasebenzisi abesifazane. Nge-use complaints, ezinye zihlanganisa ku-Chrome Web Store iminyaka eminyakeni kuze kube ama-researchers yobuchwepheshe kanye nama-communities e-intanethi zikhuthaza i-Google ukuba asebenzise. Lokhu kubonisa izimo zokuxhumana kuphela kumadivayisi we-Chrome Web Store ukhuseleko.
I-Cyberhaven Case
Abantu ngokuvamile ukholelwa ukuthi uma zithathwa digital, kungenzeka ukuthi inkulumo yabo ngokufanele ukuba akuyona izindlela ezinhle zokuvimbela noma zithathwe izimpendulo ze-cybercriminals. Lokhu akuyona njalo, kunjalo. Ngamanye izikhathi, ungakwazi ukulanda isixazululo se-browser enhle futhi ngemuva kweminyaka eminyakeni eminyakeni ukuthi inkampani esekelwe isixhobo esithathwe, futhi isixazululo yayo lithathwe ukuze zithole idatha nezimali. Lokhu kubaluleke kubasebenzisi
I-Cyberhaven yathandathe isivakashi lapho omunye abasebenzi wama-phishing e-imeyili. Umbhalo wabhala ukuthi ingcindezi wama-browser yebhizinisi wahlukanise iziphakamiso ze-Google futhi wabheka ukwelashwa okusheshayo. Umbhali wabhalisile ukufinyelela ku-OAuth isicelo esilawulwa ngama-attackers, okuvumela ukuba zithole i-Cyberhaven's Chrome Web Store account.With this access, the attackers uploaded a malicious version of the extension, which Chrome then automatically distributed to users through its update mechanism.
I-extension eyenziwe ngempumelelo iqukethe ikhodi enikezelwe ku-server ye-remote, ukuthatha imiyalezo kanye nokulawula ukusebenza kwe-user. I-browser ye-cookie kanye ne-passwords yakhula ngempumelelo idatha asebenzayo ezingu-millions ye-devices. I-version eyenziwe ngempumelelo lithunyelwe ngehora angu-31 ngaphambi kokushintshwa, kodwa ezinye izixhobo amanye ezijulwe kanye nemisindo yayo ye-malware lithunyelwe ngenyanga, okwakhiwa abasebenzisi ngempumelelo ku-security risks.
Sama kungenziwa ngokuvamile noma iyiphi isifinyezo -its developer account compromised and a new, malicious version of a previously legitimate extension pushed to its usersngokusebenzisa isixhobo se-auto-update esifanayo se-browser, ngaphandle kokufunda abasebenzisi.
Ukuvikelwa
Ngokusho okufakiwe, kufuneka sincoma
- ikhaya
- Uma ungenza le extension kakhulu, engeza. ikhaya
- Uma ungasebenzisa isixazululo isikhathi eside, ugcwalise. Hlola kuphela lapho kufuneka. ikhaya
- Uma isixhobo esebenzayo ingasebenzisa inguqulo olandelayo ngaphandle kwe-browsers (i-app, umzekelo), bheka inguqulo yayo. Izicelo ezakhiwe zihlanganisa izimo zayo. ikhaya
- Yenza kanye nokuvakashela izindlela zokhuseleko (i-antivirus, i-firewall, njll) kumadivayisi bakho. ikhaya
- Ngaphambi kokutholisa uhlobo lwezoftware, ucwaninga nomkhiqizi, ukubukeka, kanye ne-privacy policy. Ngaphezu kwalokho, sicela uchofoze ukubukeka kwayo kanye nesikhathi sokutholisa; ungakwazi ukuthatha inguqulo oluthile. ikhaya
- Akukho kuphela ukulayisha izidakamizwa ezivamile ezivela ezivela ezivela ezivela ezivela ezivela ezivela ezivela ezivela ezivela ezivela ezivela ezivela ezivela. ikhaya
- Zibonisa njalo izigubhu ezigubha ezigubha zonke, futhi ukunciphisa kwabo ngalinye ukuthi ungakwazi. ikhaya
- Qaphela i-clipboard yakho lapho ukhiphe ama-addresses ye-wallet ukuze uthole izinguqulo ezingenalutho. Ezinye ama-extensions ingasebenza njenge-clipper malware. Nge-Obyte, ungakwazi ukufinyelela ukusebenzisa ama-addresses ngokuphelele ngokuthumela imali ngokusebenzisa ama-textcoins noma ama-attestations. ikhaya
- Ukukhuthaza ukhuseleko yekhompyutha ngokuvumela ukuvalwa kwe-2-factor (2FA). Kwi-Obyte wallets, lokhu kungenziwa ngokufaka i-akhawunti ye-multidevice ku-Global Settings. ikhaya
- Yenza izici zakho zebhizinisi ngaphandle kwehlabathi yedijithali, futhi ukhethe izikhwama ngaphandle kwe-browser. I-Obyte wallet, isibonelo, iyatholakala kuma-mobile ne-desktop, futhi ungakwazi ukucindezeleka i-seed yakho ye-wallet ngemuva kokubhaliwe ngokwemvelo. ikhaya
- Regularly check emithonjeni etholakalayo ukuze updates mayelana nezimfuneko ezintsha zokhuseleko kanye nokuthuthukiswa ku-crypto space! ikhaya
I-Vector Image ye-Freepik
