A malicious Firefox add-on named “Safepal Wallet” scammed users by stealing cryptocurrency from their wallets and lived on the Mozilla add-ons store for seven months.
Safepal is a cryptocurrency wallet application that could securely hold more than 10,000 types of assets, including Bitcoin, Ethereum, and Litecoin.
Although the malicious browser add-on has been taken down, the phishing website set up by the threat actors is still up.
The add-on page for ‘Safepal Wallet’ was up since at least February 16th, 2021. On the same page, the 235 KB add-on touts itself to be a Safepal application that securely “saves private key locally,” along with convincing product images and marketing materials.
In order to publish an add-on on Mozilla’s website, developers must follow a submission process that states submitted add-ons are “subject to review by Mozilla at any time.”
According to a spokesperson at Mozilla, their recent focus has been on limiting the damage malicious extensions can do, helping users discover Recommended Extensions that they vet and monitor, helping users understand the risks that come with installing extensions, and making it easier for users to report potentially malicious extensions to them.
When the company become aware of add-ons that pose a risk to security and privacy, they take steps to prevent them from running in Firefox. So as soon as they became aware of potential abuse by this extension, they blocked it and removed it from the Firefox Add-on store.
Mozilla additionally recommends the following steps for assessing the safety of any browser extension:
- Ask yourself whether the extension is from a brand or developer that can be trusted? Does the brand or developer’s official website link to an extension?
- Check to see if the developer’s website, blog, or social media activity is consistent with features of the extension
- Check how many other users have installed the extension and whether it haa a good star rating and positive reviews?