How to avoid the risk of asset loss when the browser encrypted wallet is suddenly damaged?

Author: Lisa & Aro

Editor: Liz

In today's Internet environment, threats such as malware, viruses, phishing attacks are emerging one after another. Installing antivirus software (such as AVG, Bitdefender, Kaspersky, Malwarebytes and other internationally renowned products) can help users prevent malicious programs and improve system security. However, the function of antivirus software is to provide basic security protection, which can only reduce risks and cannot guarantee absolute security. Confrontation is a dynamic process, and installing antivirus software is only the first step to improving security. At the same time, the antivirus software itself may also have false positives, bringing additional risks.

Recently, some users have reported that after using antivirus software, some browser extensions (especially cryptocurrency wallet extensions) were falsely reported as malware, resulting in the extended JavaScript files being isolated or deleted, and the extension wallet was eventually damaged and unable to be used normally.

This is especially serious for Web3 users, because encrypted wallet extensions usually store private keys, and if not properly processed, it may lead to wallet data loss and even assets not being able to be retrieved. Therefore, it is crucial to understand how to properly recover extended data isolated by false positives.

How to deal with it?

If you find that antivirus software false positives cause damage to the browser extension, it is recommended to recover as follows:

1. Recover files from quarantine and do not uninstall the extension

If you find that a software or extension cannot run, check the "quarantine" or "History" of the antivirus software as soon as possible to find files that have been falsely positive. Do not delete the quarantine files.

• If the file is still in quarantine, select Restore and add the file or extension to the trust list to prevent false positives from happening again.
• If the file has been deleted, check if there is an automatic backup or use the data recovery tool to retrieve it.
• Remember: Don't uninstall the extension! Even if the extension is corrupted, the encryption private key-related files may still be stored locally, and there is still a possibility of recovery.

2. Backup and find local extension data

Extended data is usually stored on local disk. Even if the extension cannot be opened, relevant data can still be found for recovery (Extended ID takes MetaMask as an example: nkbihfbeogaeaoehlefnkodbefgpgknn):

• Windows Path Reference: C:\Users\USER_NAME\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
• Mac path reference:

~/Library/Application Support/Google/Chrome/Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn

It should be noted that if Chrome adopts multiple account configurations, the Default in the path may become Profile 1/Profile 2. You need to check the specific Profile directory and adjust the path according to the actual situation. It is recommended to back up the full directory of the target extension as soon as possible so that it can recover in the event of a problem.

3. Rough recovery method: Overwrite the local extension directory

If false positives cause the extension to be corrupted, the most direct way is to directly overwrite the backup extension data to the extension directory corresponding to the local path in a new computer or new browser environment, and then reopen the extension program.

4. Advanced recovery method: manually decrypt private key data

If the extension still fails to open or the data is missing, you can try a more advanced recovery method, i.e. manually decrypt the private key data to recover. Take MetaMask as an example:

• Search for MetaMask extension ID locally on your computer and find the following directory: C:\Users\[User]\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
• This directory may contain ldb/log files that store encrypted private key data. It can be decrypted using MetaMask's official Vault decryption tool (https://metamask.github.io/vault-decryptor/).
• Decryption steps: Open the MetaMask Vault decryption tool -> Copy the encrypted content in the ldb/log file -> Decrypt with the extended original password -> After obtaining the private key, re-import the wallet.

If the MetaMask extension can still open certain pages (such as chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/home.html), you can try running the following code to get the encrypted private key data:

chrome.storage.local.get('data', result => { var vault = result.data.KeyringController.vault; console.log(vault);});

Then, copy the vault data to the MetaMask Vault decryption tool for decryption.

5. Write a custom recovery tool

If the above method cannot recover the wallet data, the user can write a script by himself, extract the extended storage data from the local database file, and then decrypt it. Here, using PhantomKeyRetriever as the template, the underlying principles and implementations of different wallet recovery tools are as follows:

Wallet plugins usually store sensitive data in a database or file on the local system. Browser extended wallets (such as Phantom, MetaMask, etc.) use the storage API provided by the browser to save the encrypted data in the browser's local storage area, usually in database systems such as LevelDB or IndexedDB. Regardless of the wallet type, a key principle is that data is always stored in encrypted form, ensuring that even if the data is copied, it is inaccessible without the correct password.

Most crypto wallets use a multi-layer encryption architecture for enhanced security. First, the user's master password is used to encrypt an intermediate key (usually referred to as "encryption key" or "decryption key"). This intermediate key is then used to encrypt the actual private key or mnemonic word. This design allows an attacker to know the user's password to obtain the private key even if the code of the wallet application is tampered with. This multi-layer design also allows the wallet application to decrypt only the intermediate key after the user logs in, without having to re-enter the master password every time.

The process of writing a wallet recovery tool usually includes:

• Locate and extract encrypted data (read data from LevelDB/IndexedDB).
• Analyze the data structure and identify encrypted private keys/mnemonic words.
• The user is required to enter the wallet password and calculate the decryption key through KDF (such as PBKDF2 or Scrypt).
• Decrypt the intermediate key and then decrypt the private key/mnemonic word.

This process requires an accurate understanding of the wallet's encryption scheme and data storage format, which usually needs to be obtained by reverse engineering or analyzing the wallet's open source code.

As for the PhantomKeyRetriever tool, this is a script designed specifically for extracting Phantom wallet mnemonics or private keys from Chrome browser data. SlowMist has now opened the tool on GitHub (https://github.com/slowmist/PhantomKeyRetriever). Its core principle is as follows:

• Read the Chrome LevelDB database and copy the relevant data to the temporary directory.
• Traverse the database and look for encryption keys and wallet seed information stored by Phantom wallet.
• The user enters the Phantom password, and the script uses PBKDF2/Scrypt to calculate the decryption key.
• Decrypt wallet vault data and extract BIP39 mnemonics or Base58 private key.

During this double-layer decryption process, the script supports two key derivation functions, PBKDF2 and Scrypt, and uses SecretBox of the NaCl library for secure decryption. Finally, depending on the type of decrypted data, the script generates BIP39 standard mnemonics or extracts Base58-encoded private keys.

It should be noted that other browsers that support extended wallets (such as Edge and Firefox) also have similar principles, and will not be described here.

How to prevent it?

To reduce the risk of false positives, users can take the following measures:

• Regularly back up important files and browser extension data so that it can be quickly restored when false positives occur.
• Manually add trust rules in antivirus software, for important software or extensions (such as MetaMask), you can manually add them to the trust list to prevent false positives.
• Use official channels to download the software and avoid installing unofficial or modified versions of the application to reduce the possibility of potential risks being marked as antivirus software.

Summarize

Confrontation is always dynamic and security strategies need to be constantly adjusted. It is important to install antivirus software, but in the end, users are the last line of defense for their assets. When encountering false alarms, users should handle them calmly, avoid directly deleting key files, and use appropriate recovery methods. Only by mastering the correct security knowledge can you truly ensure your data security.