Binance has introduced a beta version of its new wallet browser extension. The feature allows users to manage their crypto assets directly through the Chrome browser. But is it fully secure?
Summary
- Binance launched a new chrome browser extension for the crypto exchange’s wallet, which splits the access key into three separate shares.
- Hackers often create fake browser extensions and websites to infiltrate trader’s devices and gain access to crypto wallets.
On August 26, Binance introduced a beta-version of a feature that enables users to manage their crypto assets and interact with dApps as well as other web3 features directly from a web browser. The extension employs what is called keyless multi-party computation technology which eliminates the need for a single, traditional private key.
Instead of one long private key, MPC splits it into multiple fragments, or “shares,” which are stored by different parties or devices. In the case of this browser extension, the technology will generate three separately stored key shares, eliminating a single point of access.
Users can log into their account and unlock the keyless browser feature by scanning a QR code provided by the system. Alternatively, users also have the option to import existing wallets using a seed phrase or private key. The extension will then put all the existing wallets into one place.
In addition, the extension allows users to connect dApps, manage assets across multiple chains. First-time users are required to set password to activate the extension on the browser. At the moment, the extension is only available on Google Chrome. The exchange claims that more browser support will be added in the future.
According to the notice, sessions automatically expire within 24 hours of inactivity, with a maximum login duration of 48 hours. Though, this is subject to change as the exchange prepares to roll out more adjustments after the beta version.
What are the possible safety risks to Binance’s keyless MPC browser extension?
Although the Keyless MPC does reduce major risks by spreading the private key into three shards, it also opens up a new attack surface. This is mostly related to the browser extension and the device login flow.
Hackers are getting smarter, with many of them trying to find a loophole to gain access to trader’s crypto wallets. Many of them have launched full-scale campaigns targeting crypto traders; such as using malware hidden in websites and browser extensions masquerading as major crypto exchanges.
Binance was one of the crypto exchanges that were used as a front for bad actors to lure in crypto traders looking to set up accounts. Only to unknowingly end up on a fake Binance site that manages to steal user data and infiltrate their device. The same can be said for users who download a fake chrome extension that offers a login QR, believing it to be from Binance when it isn’t.
Another point of access that hackers could exploit comes from the browser extension itself being hijacked. If the extension has broad host permissions or content scripts, a malicious update could read pages, inject requests, or trick traders into approving transactions.
If the browser or device is already infected by malware, then bad actors can easily intercept requests and gain access to the wallet’s seed phrase if the save password option is enabled. If users choose to import existing wallets through the extension, hackers may be able to access all the wallets in one place.
Users can mitigate these risks by making sure the downloaded chrome extension is the official one issued by Binance. Moreover, users should always verify the QR and site origin is correct before proceeding to scan the code.
Source: https://crypto.news/binance-debuts-keyless-browser-extension-is-it-safe/