Critical Vulnerabilities in Browser Wallets Let Attackers Drain your Funds

Significant vulnerabilities in popular browser-based cryptocurrency wallets enable attackers to steal funds without any user interaction or approval. 

These critical flaws, discovered in wallets including Stellar Freighter, Frontier Wallet, and Coin98, represent a significant shift in attack vectors against crypto users.

Unlike traditional phishing attacks that require users to approve malicious transactions, these vulnerabilities allow attackers to drain funds by simply having users visit a compromised website. 

No wallet connection approval, transaction signing, or any other user interaction is required.

“Simply visiting the wrong site could silently expose your recovery phrase, allowing attackers to drain your funds whenever they want,” explained researchers at Coinspect who identified the vulnerabilities. 

“They could wait until your wallet has enough balance, making it hard to trace the breach”.

Browser Wallet Extension Vulnerabilities Expose Private Keys

The flaws stem from architectural weaknesses in how browser wallet extensions implement message passing between their components. 

In a standard wallet architecture, a decentralized application (dApp) interacts with the wallet through a Provider API injected by the Content Script, which communicates with the Background Script that has access to private keys.

Researchers found a critical vulnerability (CVE-2023-40580) in Freighter, the official Stellar blockchain wallet. The wallet used a single handler to process communications from both its UI and Provider API. 

This design created confusion between message sources, allowing attackers to execute:

By manipulating the request.type parameter through the Content Script’s message listener, attackers could trigger internal functions intended for the Wallet UI and access the user’s secret recovery phrase.

Frontier Wallet suffered from a similar vulnerability where its Provider API exposed internal methods that returned the wallet’s state, including the encrypted recovery phrase. 

Despite using separate ports for connections, attackers could access this information even when the wallet was locked.

Meanwhile, Coin98 Wallet contained a vulnerability allowing attackers to send crafted messages with isDev:true parameter to the Content Script, making the Background Script believe commands came from the legitimate Wallet UI rather than a malicious site.

Severe Security Implications

These vulnerabilities bypass traditional security models in several concerning ways:

• Pre-Connection Risk: Malicious sites can interact with wallets before users accept any connection.
• Silent Exploitation: Attacks occur without alerting users.
• Direct Key Access: Attackers can obtain secret recovery phrases even with locked wallets.
• Delayed Exploitation: Hackers can wait until wallets contain significant funds before attacking.

Over the past year, cybercriminals have stolen approximately $58.98 million from over 63,000 victims using similar wallet-draining techniques.

The identified vulnerabilities have been patched in updated versions of the affected wallets. Users should immediately:

• Update Stellar Freighter to version 5.3.1 or later.
• Ensure Frontier Wallet is updated to versions released after November 22, 2024.
• Use only updated Coin98 Wallet versions.

If you suspect your wallet may be compromised, security experts recommend immediately transferring remaining tokens to a newly created wallet and ceasing use of the compromised one.

As cryptocurrency adoption grows, security researchers warn that similar vulnerabilities likely exist in other browser wallets, particularly those built on untested codebases. 

Users should remain vigilant and prioritize wallets with established security practices as these sophisticated, silent drain techniques become more prevalent in attackers’ arsenals.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy