Rabby Wallet Chrome Extension Basic Security Analysis

rooftopportapotty December 28, 2022
0 Comments
rabby wallet security analysis
This post was written by /u/RoofTopPortaPotty in the ETHFinance Subreddit and then I reposted it here without permission.

This is the first installment of my series of posts regarding the privacy of various Chrome browser crypto wallet extensions. Please bear with me as I attempt to navigate formatting a Reddit comment. I might create a separate blog, and post links if this looks too ugly. (You’re welcome)

My approach

I will attempt to sort my findings by: the ok, the bad, the ugly, and the weird. Using Kali Linux, I downloaded Google Chrome directly from google.com/chrome. Analysis of encrypted traffic was completed using BurpSuite + the provided root cert, installed in chrome’s local cert repo. Chrome is then launched with a proxy set to Burp’s listening port. The Rabby extension was downloaded from https://chrome.google.com/webstore/detail/rabby/acmacodkjbdgmoleebolmdjonilkdbch

Rabby does a few things every time you start up chrome.

The OK

gabby crypto wallet review

It makes a request to static.debank.com to request an updated list of phishing websites.

The Bad

i2hdxh0

See that value parameter sent to festats.debank.com? Who knows what that is. It may just be Debank’s way of identifying Rabby. Well this can be tested by simply reinstalling Rabby.

gabby chrome extension security

Seems very much like a way of tracking you! Ok, so what happens when we try connecting Rabby to a dApp?

Lets try Synthetix

gabby crypto wallet security leaks

Well, it worked at least. There you see the name of the dApp I’m using being sent to o460488.ingest.sentry.io. The ‘o460488‘ is the identifier for either Rabby or Debank’s account with sentry’s data collection service. More on that at my Reddit post which may be considered the first unofficial post of this series. Is there really a need for the company that develops your wallet to be keeping track of what services you use?

The Ugly

ou3lecb

Rabby is willing to use the absolute bottom of the barrel advertisers to track you. Notice the ‘Origin’ header in the HTTP request? That value is Rabby’s extension identifier, so this is surely not default Chrome behavior.

The Weird

iue8jlu

This POST request to matomo.debank.com is quite strange, considering it has no POST body and a number of GET-type parameters set. See the field 'url='? Look to the right side of the photo. The identifier Chrome uses for this extension was turned into a website. When I completed creating a new seed phrase, this request was sent to the endpoint '/popup/import/success' is exceptionally odd behavior.

Looking at this from an offensive perspective, this looks like it may be vulnerable to an Open Redirect. I did not test this as I’m not willing to push any legal boundaries. However, an attacker may be able to craft a malicious URL which redirects a victim to their phishing/exploitation website. I hope I explained this in a way that makes sense… There were more requests than this sent. However, I need to keep my research more cursory if I am to cover numerous extensions.

Stay safe out there.

Categories: The Rostrum
Tags: , , , , , ,

Related Articles

Responses

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .