AI Security AI安全 8h ago Updated 2h ago 更新于 2小时前 42

Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks 研究:85个加密钱包扩展程序发现地址泄露和跨站跟踪风险

KU Leuven researchers identified critical privacy flaws in 85 popular crypto wallet browser extensions affecting approximately 35 million users. Wallets frequently leak user data by bundling multiple addresses in single requests or sending rapid sequential requests, allowing servers to link distinct identities. Disconnecting from a Web3 application rarely revokes access, leaving stale permissions that enable persistent cross-site tracking via unique wallet addresses. A significant cross-site tra KU Leuven研究团队对85款主流浏览器加密钱包扩展进行安全审计,发现其设计缺陷导致用户隐私严重泄露。 钱包通过明文请求将用户多个地址关联,或通过跨站脚本在后台静默暴露地址,实现跨网站追踪。 36款钱包存在“注销无效”问题,即使断开连接或清除Cookie,网站仍可读取用户地址。 多数钱包厂商拒绝承认跨站追踪为漏洞,MetaMask等头部项目以兼容性为由维持现状。 该研究揭示了Web3生态中匿名性与浏览器扩展权限机制之间的根本性冲突。

60
Hot 热度
65
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • KU Leuven researchers identified critical privacy flaws in 85 popular crypto wallet browser extensions affecting approximately 35 million users.
  • Wallets frequently leak user data by bundling multiple addresses in single requests or sending rapid sequential requests, allowing servers to link distinct identities.
  • Disconnecting from a Web3 application rarely revokes access, leaving stale permissions that enable persistent cross-site tracking via unique wallet addresses.
  • A significant cross-site tracking vulnerability allows third-party trackers to extract wallet addresses from previously connected sites via invisible frames, linking pseudonymous identities to real-world data.
  • Most wallet vendors dismissed these issues as non-bugs or known limitations, with only a few providers implementing fixes despite the severity of the privacy risks.

Why It Matters

This study reveals fundamental architectural failures in how crypto wallet extensions interact with the web, undermining the core promise of pseudonymity in blockchain technology. For AI and security practitioners, it highlights the dangers of trusting default behaviors in third-party browser extensions and the necessity of rigorous privacy-preserving design patterns in decentralized applications. The findings serve as a cautionary tale for the broader Web3 ecosystem, demonstrating that convenience features often come at the cost of severe user surveillance capabilities.

Technical Details

  • Address Linking Vulnerabilities: 17 out of 85 tested wallets exposed connections between user addresses. Thirteen wallets bundled multiple addresses in a single HTTP request, while four others fired separate requests within milliseconds, providing temporal correlation signals for server-side profiling.
  • Persistent Session State: 36 wallets failed to properly handle logout/disconnect commands. Even when sites sent revoke commands, 22 wallets retained access to the user's address, surviving browser restarts and cookie clears, effectively turning the wallet address into a permanent fingerprint.
  • Cross-Site Frame Injection: 23 of the 36 vulnerable wallets leaked addresses when accessed via invisible iframes from third-party trackers. This allowed malicious scripts on unrelated websites to query previously authorized wallet connections without user interaction, bridging the gap between anonymous crypto activity and real-world identities.
  • Vendor Response Analysis: Upon disclosure, major vendors like MetaMask classified the frame injection issue as a "known issue" due to backward compatibility concerns with existing dApps. Other vendors like Rabby and OKX dismissed the severity, with Rabby claiming the attack vector was "virtually impossible" and OKX labeling it informational since no funds were stolen.

Industry Insight

  • Shift from Security to Privacy Engineering: The industry must move beyond traditional security metrics (like fund theft prevention) to prioritize privacy-by-design. Wallet extensions should implement strict isolation policies, ensuring that disconnecting a site immediately purges all local state and prevents cross-origin data leakage.
  • Standardization of Revocation Protocols: There is an urgent need for standardized, enforced protocols for session revocation in Web3 interactions. Current ad-hoc implementations allow for persistent tracking; industry bodies should mandate that disconnect commands result in immediate, verifiable termination of all access rights.
  • User Education and Tooling: Given the widespread vendor reluctance to fix these issues, developers should create user-facing tools that automatically audit and revoke stale permissions. Users must be educated that "disconnecting" in a UI does not equate to cryptographic revocation, necessitating manual intervention or the use of dedicated privacy-focused browser profiles.

TL;DR

  • KU Leuven研究团队对85款主流浏览器加密钱包扩展进行安全审计,发现其设计缺陷导致用户隐私严重泄露。
  • 钱包通过明文请求将用户多个地址关联,或通过跨站脚本在后台静默暴露地址,实现跨网站追踪。
  • 36款钱包存在“注销无效”问题,即使断开连接或清除Cookie,网站仍可读取用户地址。
  • 多数钱包厂商拒绝承认跨站追踪为漏洞,MetaMask等头部项目以兼容性为由维持现状。
  • 该研究揭示了Web3生态中匿名性与浏览器扩展权限机制之间的根本性冲突。

为什么值得看

本文揭示了加密钱包作为浏览器扩展时,因过度依赖前端注入和缺乏严格的权限隔离,导致用户“匿名”身份极易被去匿名化。对于AI及网络安全从业者而言,这提供了关于前端隐私泄露、跨站追踪技术以及Web3应用安全边界的宝贵实证案例,警示了在设计涉及敏感数据的浏览器插件时需考虑的隐私保护架构。

技术解析

  • 地址关联泄露:17款钱包在查询余额时将多个地址打包或在毫秒级内连续发送请求,使服务器能通过时间戳或请求包结构将不同地址关联到同一用户,覆盖约2300万安装量。
  • 持久化指纹与注销失效:36款钱包向页面注入标识符,形成不可清除的浏览器指纹。更严重的是,22款钱包在收到网站撤销权限指令后仍允许读取地址,且该权限不受Cookie清除或浏览器重启影响,需手动在钱包设置中移除。
  • 跨站iframe追踪攻击链:23款钱包允许在iframe上下文中响应地址请求。攻击者可在普通网站加载隐蔽iframe调用已授权过的加密应用页面,从而在无用户交互的情况下获取钱包地址,进而结合邮箱/姓名实现身份映射。
  • 厂商响应差异:Coinbase Wallet和Coin98修复了跨站问题;MetaMask以破坏应用兼容性为由拒绝修复;Rabby认为攻击条件苛刻故否认漏洞存在;OKX仅将其标记为信息性发现。

行业启示

  • Web3隐私架构重构:浏览器扩展模式的钱包天然面临隐私泄露风险,行业需推动从“前端注入”向更安全的API交互模式或去中心化身份协议演进,以减少对浏览器环境的依赖。
  • 安全标准与合规挑战:当前Web3应用缺乏统一的权限撤销标准和隐私保护规范,开发者需建立更严格的“最小权限原则”,并在UI上明确提示权限状态,而非仅依赖用户手动管理。
  • 去匿名化威胁常态化:随着跨站追踪技术的成熟,加密地址与真实身份的绑定成本大幅降低,用户需意识到“匿名”并非默认状态,建议采用隔离环境或多钱包策略以降低单点泄露风险。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Research 科学研究