How secure are browser extension wallets?

Convenience over security has been a user trend over the last couple of years, strongly encouraged by FAANG companies — and tech companies in general — to make advertisements and experiences increasingly personal. Crypto flips the concept of security on its head, allowing users to be their own bank and take care of their own security. Naturally, this increased responsibility comes with increased risks as well.

In this article, we look at one of those aspects of security and discuss why using a browser wallet extension is a secure way to interact with your assets — if done right. Storing your coins on a mobile phone or an exchange might be the most convenient way but this is not in accordance with security best practices.

Security 101

Not your keys, not your coins. Anybody who has taken the time to learn crypto basics has heard of this phrase, but what does it mean? Cryptocurrencies use a modern cryptographic method called public-key cryptography. Public key cryptography uses a pair of keys, a public key that you can share with anyone and a private key that must be kept secret. As an analogy, one can think of your public key as your email address and the private key as your password.

Source: https://www.ledger.com/academy/blockchain/what-are-public-keys-and-private-keys

Your public key is the address you share when you want to receive cryptocurrency from someone. Private keys are used to prove ownership of the assets. Private keys are often represented by a 12–24 word seed phrase that you must write down and store somewhere safe, preferably offline, when first creating a web 3.0 wallet through browser extensions like XDEFI Wallet.

Losing your private key or seed phrase means that you lose access to all coins associated with that key, so it is vital to store this in a secure location. It is recommended to always keep at least one backup stored in a different and secure location. Remember, anyone who has access to your private key and/or seed phrase has access to your funds so if this is stolen or shared, you must move your assets to an address associated with another private key as soon as possible.

Exchanges vs Web 3.0 Wallets

The core difference between a web 3.0 wallet and an exchange wallet or a centralised application on your mobile phone is the custodial aspect. When you create a web 3.0 wallet through a browser extension like XDEFI Wallet or Metamask, you control the private key and are responsible for safekeeping it. This means you are in full control of your assets. When you store your coins on a centralised platform like an exchange, they control the private keys and you basically give up ownership of your coins.

One aspect that a lot of people not familiar with crypto often get wrong is that your crypto coins can get hacked and stolen. Although there are numerous examples of hacks in the past, it is the centralised platform that gets hacked and not the private key itself. Guessing a private key associated with a particular address would take a computer hundreds if not thousands of years and is simply impossible today. That said, coins stored in a browser extension are still vulnerable to different attack vectors and by far the most secure way to store your coins is on a hardware wallet or through a combination of a web 3.0 wallet and a hardware wallet, which is described below.

Connectability is another key feature of web 3.0 wallets. A lot of decentralised applications (dApps) in web 3.0 behave like desktop applications rather than mobile experiences given the complexity of the transactions. Due to their central function within a blockchain’s ecosystem, a native web 3.0 wallet has been developed around the most important layer-1 blockchains. A few examples of these are:

Source: https://www.runebase.org/guides/friendly-introduction-to-xdefi-wallet/

Having 5 different extensions to interact with 5 different blockchains is clearly not an ideal solution. This is why XDEFI Wallet has taken a multi-chain approach from the start — XDEFI Wallet currently supports 10 chains, and is rapidly expanding support to all major layer-1 and layer-2 blockchains. Needless to say, this is much more convenient and efficient for the average user and could also prevent inexperienced users from installing a faulty web extension.

Possible Attack Vectors

Attacks on browser extension wallets have become increasingly complex to the point where even users with a hardware wallet can get tricked if they are not careful. The most popular attack is a phishing attempt where a user clicks a malicious link where a fake pop-out of a browser wallet opens and asks the users to enter their password or seed phrase. Obviously clicking a link from an email or person you don’t know or trust is not recommended on a computer where you use your cryptocurrencies. As a general rule, it is also helpful to remember to never input your seed phrase into an application, unless you’re recovering a lost account and are 100% sure that you have downloaded the correct and legitimate extension or application.

Besides being wary of phishing attempts, you should always be cautious whenever signing transactions, even when using a hardware wallet. In December 2020, there was a complex case of a hack on the personal funds of Nexus Mutual’s CEO Hugh Karp, in which a hacker gained access to Hugh’s computer and installed a malicious extension. Learning point = be vigilant, never interact with smart contracts you don’t trust and always carefully triple-check what you are approving.

Hardware Wallet Compatibility

Another advantage of a browser extension is the ability to easily connect your hardware wallet. Storing your coins in a hardware wallet such as Ledger or Trezor is the most secure storage method because the private keys never leave the device and thus stay offline. By connecting XDEFI Wallet with your hardware wallet, you can use all the features XDEFI Wallet has to offer without compromising on security.

With XDEFI, a hardware wallet can be added with just a few simple steps.

In just a few simple steps, you can access your funds in your hardware wallet. This way, even if your computer gets hacked, your coins remain safe. Coins stored in a hot wallet generated by the extension itself will be vulnerable if your computer is compromised, with numerous complex attacks over the last few months.

One extra advantage is that actions require a double confirmation. Once you confirm a transaction in the wallet extension, a user will need to sign the transaction with his hardware wallet before the transaction is executed.

Some Best Security Practises for wallet extension

Security has a lot of different angles, but here are some of the best practises to increase the security associated with using a browser wallet:

  • Use a separate browser to install a browser wallet extension like XDEFI Wallet or Metamask
  • Use a unique and strong password to lock the extension
  • Store your coins on a hardware wallet and connect it with the browser wallet extension
  • Be careful clicking links from sources you don’t trust and do not visit and connect to any sites you do not trust
  • Backup & store your passphrase on an external & offline device that you store somewhere safe
  • Don’t approve transactions & contracts from sources you don’t know
  • Never use SMS for two-factor authentication.
  • Use Google authenticator or a Yubico key for your two-factor authentication

Why XDEFI Wallet Offers Exceptional Security

The architecture and implementation review concluded that the (XDEFI) application has a sound architecture, design and the implementation is as good as expected for a browser extension application.”
(Kudelski Security Audit Report for XDEFI Wallet, April 2021)

XDEFI Wallet’s extension has been rigorously audited and any issues and deficiencies were immediately addressed as confirmed in the attestationAs a non-custodial wallet, XDEFI Wallet does not store your secret phrase, password or any private information. Users are in complete control of their information and wallet.

On top of that, the XDEFI Wallet extension implemented some additional security features for users to take advantage of. The extension allows users to require a password for transactions, it has hardware wallet compatibility, it offers the ability to auto-lock the application after a certain period of time and additional features around token approvals are coming soon. Users can also revoke permissions for dApps at any time. An additional backup function allows users to save all their wallets with their respective accounts in a single file that can later be used to import the wallet into the extension.

Additionally, XDEFI Wallet will add support for two-factor authentication (2FA) later in 2022 in order to further strengthen its overall security.