Get Grass Extension is Spying on You (Hack Warning)
Posted inCryptocurrency

Get Grass Extension is Spying on You (Hack Warning)

Back in January, I made an investigation on the Get Grass Project and the potential risks of using their extension. What we found back then was that the extension was collecting a lot of precious information from its users. This included location, authentication information, and personally identifiable information – this privacy page is a screencap from when the initial video that I did on the matter.

As of today the actual extension page only includes “location” so either they updated the policy only or they switched things in the actual code of the extension too, however, I don’t see any public announcements of them doing so, but this is not the end of our problems. As we discovered something more sinister recently..

Traces of Cursed Chrome Spyware

So earlier today I was contacted by an Anonymous source who provided me with necessary information that Get Grass Extension was using a piece of tech called “Cursed Chrome” which was created by a Security expert known as Matther Bryan as an Open source project on GitHub.

The idea behind it was to basically provide something for white hat hackers to combat in case such malicious spyware extension emerges somewhere according to Matthew.

The concept behind it ultimately is quite simple, so essentially it connects the Victims browser with a potential hacker who has access to this “Cursed Chrome server” and this will cache certain information from the victim’s computer including things like passwords, autofill information, addresses, cookies and anything that potentially could be stored inside the browser that you are using.

The hacker essentially can log into these browsers that have been infected by the Cursed Chrome extension. Depending on what browser you are using the actual extension might be running online even if the browser is not currently open, so not opening your specific browser isn’t going to keep you safe necessarily. A Thorough uninstall process is recommended to deal with the problem.

If you still do not believe me you can actually open the background.js file and see the source marks about Cursed Chrome mentioned inside this can be checked by anyone who is currently running the extension on any Chromium browser. To quote the actual analysis report I got from my source it says the following

It also specifies that this package allow viewing and browsing sites as the victim: “A (cursed) Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies. By using the proxies this tool creates you can browse the web authenticated as your victim for all of their websites.” They achieve this by using the following permissions and hijacking session cookies of users: “”permissions”: [ “webRequest”, “webRequestBlocking”, “” ]“

It is clearly stated on Chrome Web store policies that such things are prohibited and shouldn’t really exist in their marketplace, but apparently not enough have reported this extension for potential malware.

Last Sketchy Points about Grass

Not to recap all the things I talked about in the initial investigation video I just made a few bullet points to address some of the other concerns regarding this project.

  • The company was registered in a tax haven country (Bahamas) 
  • We still don’t have the tokenomics released for the project, we only know it’s gonna launch on Solana
  • Lack of transparency regarding who is working on the team and the CEO hasn’t really made public appearances, only the CTO who has active lawsuit against him as of right now
  • No Whitepaper or proper documentation of anything that’s actually working outside the extension itself

I’m hoping you will share this article and spread the message so we can proceed to get some answers from the actual team about this malware and why exactly there has been so little transparency.

Tags: