GuShiio.com Cryptographic wallet extensions often store private keys, which if not handled properly can lead to the loss of wallet data or even the inability to retrieve assets.
Author: Lisa Aro
Editor: Liz
In today’s Internet environment, threats such as malware, viruses, and phishing attacks emerge one after another. Installing anti-virus software (such as AVG, Bitdefender, Kaspersky, Malwarebytes and other internationally renowned products) can help users prevent malicious programs and improve system security. However, the role of anti-virus software is to provide basic security protection. It can only reduce risks and cannot ensure absolute security. Confrontation is a dynamic process, and installing anti-virus software is only the first step in improving security. At the same time, the anti-virus software itself may also have false positives, bringing additional risks.
Recently, some users have reported that after using anti-virus software, some browser extensions (especially cryptocurrency wallet extensions) were falsely reported as malware, resulting in the extended JavaScript files being quarantined or deleted. Eventually, the extended wallet was damaged and could not be used normally.
This situation is particularly serious for Web3 users, because cryptographic wallet extensions often store private keys, which, if not handled properly, can lead to the loss of wallet data or even the inability to retrieve assets. Therefore, understanding how to properly recover extended data isolated by false positives is crucial.
How to deal with it?
If you find that the browser extension is damaged due to false positives caused by anti-virus software, it is recommended to follow the following steps to recover:
1. Recover files from quarantine and never uninstall extensions
If you find that a certain software or extension cannot run, check the “Quarantine” or “History” of the anti-virus software as soon as possible to look for files that have been falsely reported, and never delete the quarantined files.
- If the file is still in quarantine, select Restore and add the file or extension to the trust list to prevent further false positives.
- If the file has been deleted, check to see if there is an automatic backup or use a data recovery tool to retrieve it.
- Remember: Do not uninstall extensions! Even if the extension is damaged, files related to the encrypted private key may still be stored locally, and there is still the possibility of recovery.
2. Back up and find local extended data
Extended data is usually stored on a local disk. Even if the extension cannot be opened, relevant data can still be found for recovery (Extended ID takes MetaMask as an example: nkbihfbeogaeaoehlefnkodbefgpgknn):
- Windows Path Reference: C:\Users\USER_NAME\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
- Mac path reference:
~/Library/Application Support/Google/Chrome/Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn
It should be noted that if Chrome uses multiple account configurations, the Default in the path may become Profile1/Profile2. You need to check the specific Profile directory and adjust the path according to actual conditions. It is recommended to back up the entire extended directory of the target as soon as possible so that it can be recovered if problems occur.
3. Rough recovery method: Overlay the local extended directory
If false positives cause extension damage, the most direct method is to directly overwrite the backed up extension data to the extension directory corresponding to the local path in a new computer or new browser environment, and then reopen the extension program.
4. Advanced recovery method: Manually decrypt private key data
If the extension still cannot be opened or the data is missing, you can try a more advanced recovery method, which is to manually decrypt the private key data to recover. Take MetaMask as an example:
- Search the MetaMask extension ID locally on your computer and find the following directory: C:\Users\[User]\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
- This directory may contain ldb/log files that store encrypted private key data. You can use MetaMask’s official Vault decryption tool (https://metamask.github.io/vault-decryptor/) to decrypt it.
- Decryption steps: Open the MetaMask Vault decryption tool-copy the encrypted content in the ldb/log file-use the extended code to decrypt-obtain the private key and re-import the wallet.
If the MetaMask extension can still open certain pages (such as chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/home.html), you can try running the following code to obtain the encrypted private key data:
chrome.storage.local.get('data', result => { var vault = result.data.KeyringController.vault; console.log(vault);});
Then, copy the vault data to the MetaMask Vault decryption tool for decryption.
5. Write a custom recovery tool
If the above method cannot recover wallet data, users can write their own scripts to extract the extended stored data from the local database file and decrypt it. Here, using PhantomKeyRetriever as a template, the underlying principles and implementation of writing different wallet recovery tools are as follows:
Wallet plug-ins typically store sensitive data in a database or file on the local system. Browser extended wallets (such as Phantom, MetaMask, etc.) use the storage API provided by the browser to save the encrypted data in the browser’s local storage area, usually in a database system such as LevelDB or IndexedDB. Regardless of the wallet type, a key principle is that data is always stored in encrypted form, ensuring that even if the data is copied, it cannot be accessed without the correct password.
Most crypto wallets use a multi-layered cryptographic architecture to enhance security. First, the user’s master password is used to encrypt an intermediate key (often called the encryption key or decryption key). This intermediate key is then used to encrypt the actual private key or mnemonic. This design allows an attacker to know the user’s password to obtain the private key even if the code of the wallet application is tampered with. This multi-layered design also allows wallet applications to decrypt only the intermediate key after the user logs in, rather than having to re-enter the master password for each operation.
The process of writing a wallet recovery tool usually includes:
- Locate and extract encrypted data (read data from LevelDB/IndexedDB).
- Analyze the data structure and identify the encrypted private key/mnemonic words.
- Users are required to enter their wallet password and calculate the decryption key through a KDF (such as PBKDF2 or Srypt).
- Decrypt the intermediate key and then decrypt the private key/mnemonic.
This process requires an accurate understanding of the wallet’s encryption scheme and data storage format, which usually requires reverse engineering or analysis of the wallet’s open source code.
Take the PhantomKeyRetriever tool as an example. This is a script specifically designed to extract Phantom wallet mnemonic words or private keys from Chrome browser data. SlowMist has currently opened this tool on GitHub (https://github.com/slowmist/PhantomKeyRetriever). Its core principles are as follows:
- Read the Chrome LevelDB database and copy the relevant data to the temporary directory.
- Traverse the database to find the encryption keys and wallet seed information stored in Phantom wallet.
- The user enters the Phantom password, and the script uses PBKDF2/Srypt to calculate the decryption key.
- Decrypt wallet vault data and extract BIP39 mnemonic words or Base58 private keys.
In this two-layer decryption process, the script supports both key derivation functions, PBKDF2 and Srypt, and uses the SecretBox of the NaCl library for secure decryption. Finally, depending on the type of decrypted data, the script will generate BIP39 standard mnemonic words or extract the Base58 encoded private key.
It should be noted that other browsers that support extended wallets (such as Edge, Firefox) have similar principles and will not be described here.
How to prevent it?
In order to reduce the risk of false positives, users can take the following measures:
- Regularly back up important files and browser extension data for quick recovery when false positives occur.
- Add trust rules manually to antivirus software, and for important software or extensions (such as MetaMask), you can manually add them to the trust list to prevent false positives.
- Use official channels to download software and avoid installing unofficial or modified versions of applications to reduce the possibility of being marked as a potential risk by antivirus software.
summary
Confrontation is always dynamic, and security strategies also need to be constantly adjusted. It is important to install anti-virus software, but in the end, users are the last line of defense for their assets. When encountering false positives, users should deal with them calmly, avoid directly deleting key files, and adopt appropriate recovery methods. Only by mastering the correct security knowledge can we truly protect our data security.
