Rabby Wallet Chrome Extension Basic Security Analysis

rabby wallet security analysis
This post was written by /u/RoofTopPortaPotty in the ETHFinance Subreddit and then I reposted it here without permission.

This is the first installment of my series of posts regarding the privacy of various Chrome browser crypto wallet extensions. Please bear with me as I attempt to navigate formatting a Reddit comment. I might create a separate blog, and post links if this looks too ugly. (You’re welcome)

My approach

I will attempt to sort my findings by: the ok, the bad, the ugly, and the weird. Using Kali Linux, I downloaded Google Chrome directly from google.com/chrome. Analysis of encrypted traffic was completed using BurpSuite + the provided root cert, installed in chrome’s local cert repo. Chrome is then launched with a proxy set to Burp’s listening port. The Rabby extension was downloaded from https://chrome.google.com/webstore/detail/rabby/acmacodkjbdgmoleebolmdjonilkdbch

Rabby does a few things every time you start up chrome.

The OK

gabby crypto wallet review

It makes a request to static.debank.com to request an updated list of phishing websites.

The Bad


See that value parameter sent to festats.debank.com? Who knows what that is. It may just be Debank’s way of identifying Rabby. Well this can be tested by simply reinstalling Rabby.

gabby chrome extension security

Seems very much like a way of tracking you! Ok, so what happens when we try connecting Rabby to a dApp?

Lets try Synthetix

gabby crypto wallet security leaks

Well, it worked at least. There you see the name of the dApp I’m using being sent to o460488.ingest.sentry.io. The ‘o460488‘ is the identifier for either Rabby or Debank’s account with sentry’s data collection service. More on that at my Reddit post which may be considered the first unofficial post of this series. Is there really a need for the company that develops your wallet to be keeping track of what services you use?

The Ugly


Rabby is willing to use the absolute bottom of the barrel advertisers to track you. Notice the ‘Origin’ header in the HTTP request? That value is Rabby’s extension identifier, so this is surely not default Chrome behavior.

The Weird


This POST request to matomo.debank.com is quite strange, considering it has no POST body and a number of GET-type parameters set. See the field 'url='? Look to the right side of the photo. The identifier Chrome uses for this extension was turned into a website. When I completed creating a new seed phrase, this request was sent to the endpoint '/popup/import/success' is exceptionally odd behavior.

Looking at this from an offensive perspective, this looks like it may be vulnerable to an Open Redirect. I did not test this as I’m not willing to push any legal boundaries. However, an attacker may be able to craft a malicious URL which redirects a victim to their phishing/exploitation website. I hope I explained this in a way that makes sense… There were more requests than this sent. However, I need to keep my research more cursory if I am to cover numerous extensions.

Stay safe out there.

Related Articles