A new way to protect browser-based bitcoin wallets from malware

First published: 10/21/2024
| Last updated: 10/21/2024
| -- min read

As bitcoin continues to increase in value, so does the sophistication of attacks targeting bitcoin users. At Unchained, we recognize the need for enhanced security measures to combat these threats. Our team has been diligently working on new features that could be widely implemented to protect all bitcoin users, particularly those who rely on browser-based wallets. As far back as 11 years ago, browser extensions have been known to steal bitcoin, highlighting the persistence of browsers as a vulnerability for your life savings.

Today we’re introducing a new security feature: the ability to confirm bitcoin deposit addresses via email. This new feature is one of many tools you can use to avoid being accidentally tricked by a malicious browser-extension or other malware into sending bitcoin to the wrong address.

Building on our open source work

Our efforts to improve deposit address verification builds on four years of collaborations with leading teams, including SatoshiLabs and Ledger, to empower users to verify multisignature addresses directly using their hardware wallets. However, many users prefer to geographically separate their hardware wallets for added security, and we wanted to provide a supplemental solution to the guarantees you receive from checking physical devices.

Millions of users rely on browser-based tools, such as exchanges, and could benefit from reliable methods to confirm the validity of addresses displayed on their screens—especially when dealing with irreversible transactions. We hope that this feature inspires other browser-based bitcoin tools to implement similar features. 

Why you should always confirm deposit addresses

Bitcoin transactions are immutable, so sending bitcoin to the wrong address can result in permanent loss. This is why you should always confirm your deposit address—it’s a simple way to know with higher confidence the address is valid and you aren’t sending bitcoin to an address injected by malware.

Both confirming with hardware wallets and confirming with email can help protect you from accidentally sending bitcoin to an attacker if your computer is infected with malware. However, confirming deposit addresses via email does not give you the same guarantees of confirming addresses with hardware wallets. 

Additional benefits of confirming addresses with hardware wallets include:   

  • Confirm that you have keys to the address: Using hardware wallets ensures that the address shown is controlled by your keys.
  • Verify that the address was built correctly: In multisig, you need to know that your address is 2-of-3, for example, and not 2-of-5 where an attacker has added 2 more of their keys and actually controls the funds. Only confirming on a hardware wallet gives you this guarantee.

How it works

The new confirm on email solution involves sending the address displayed in your browser back to Unchained for verification. We check it against our internal systems to confirm that the address displayed to you matches the address that we expect. You will then receive an email from Unchained confirming whether the address matches, or alerting you if there is a potential compromise of your computer.

While the new email confirmation feature provides an additional layer of security by allowing Unchained to certify the displayed address, it does not guarantee that you have direct control over the keys associated with that address. You have to confirm your addresses with hardware wallets to ensure you have direct control. 

Additional security measures

As more clients begin sharing access to their vaults with other Unchained users who don’t necessarily hold keys with Unchained Connections, email confirmation adds an additional layer of protection. It allows users to validate address information across multiple devices, such as a laptop and a phone, and with different browsers, thereby mitigating the risks posed by malicious browser extensions and other malware.

In addition to confirming addresses on hardware wallets or via email, consider using the wallet configuration file with open-source multisignature tools, such as Caravan or Sparrow. These tools can help you verify that your bitcoin balances are accurate, and can also help you verify that all of the addresses in your multisignature wallet match what you see in Unchained. 

Conclusion

As threats to bitcoin holders evolve, so must our strategies to combat them. We advocate for a multi-factor security strategy. This “swiss cheese” approach acknowledges that while no single measure is foolproof, layering different protections can create a more holistic security posture. 

If implemented broadly, features like this could enhance the security of all browser-based wallets—and we aim to lead by example in empowering users to take control of their assets while providing peace of mind. 

Sign up to get notified for future blog articles.