A browser extension wallet is convenient: it lives one click away, signs transactions inline, and connects to dapps through an injected provider or WalletConnect. That convenience has a cost. An extension is code running inside your browser with permission to see and change the pages you visit — and attackers know it. If you self-custody, the browser is part of your threat model, and extension hygiene is one of the cheapest, highest-leverage habits you can build.
This guide covers why extensions are such a tempting target, the handful of rules that shrink your attack surface, what LavaMoat does and why SSP's extension is built with it, and how SSP's 2-of-2 multisig backstops even a fully compromised extension. New to the category? Start with Browser Extension Wallets Explained, then come back.
Why a browser extension is a juicy target
Extensions run with broad permissions. A typical wallet extension can read and modify the content of the pages you load, watch what you type, and reach the clipboard. Those capabilities are exactly what a wallet needs to inject a provider and surface a signing prompt — and exactly what an attacker wants.
Consider what a malicious or compromised extension can do without ever touching your seed phrase:
- Swap a copied address. You copy a receive address; the extension rewrites the clipboard so the address you paste belongs to the attacker. This clipboard-hijack pattern is old, reliable, and invisible.
- Inject scripts into a dapp. It can alter the page you see, changing the amount or destination of a transaction while displaying the values you expected.
- Read what's on your screen. Balances, addresses, and anything else on the page is readable. Combined with a phishing page, that intelligence makes the lure far more convincing — see Phishing Attacks Targeting Crypto Users.
The economics are brutal: one popular extension can reach millions of users at once, so compromising a single publisher is worth enormous effort. The most dangerous version isn't a fake you install by mistake — it's a legitimate extension you already trust that turns hostile after an update.
The hygiene rules
You cannot make a browser perfectly safe, but you can make it a poor target. The principle is least privilege: fewer extensions, narrower permissions, and a clean separation between your crypto browser and everything else.
Minimize what you install
Every extension is attack surface and a supply-chain dependency you didn't write. Install as few as you can live with, prefer well-known projects with a long track record, and remove anything you've stopped using. A wallet plus a hardware-wallet bridge is plenty; a dozen productivity add-ons sharing a browser with your funds is not.
Use a dedicated browser profile
Create a separate browser profile — or a separate browser — used only for crypto, with only your wallet extension installed. The coupon finder, the screenshot tool, and the random "AI" sidebar live in your everyday profile, where they can't read the page while you sign a transaction. This single change removes most of the day-to-day risk for almost no effort.
Review permissions and updates
When you install or update an extension, read the permission prompt instead of clicking through it. "Read and change all your data on all websites" is normal for a wallet and alarming for a calculator. Auto-update is a genuine supply-chain risk: the build you vetted on Monday isn't the build that ships on Thursday, and a compromised maintainer or dependency can push malicious code straight to your browser. You can't review every update by hand, so favor extensions whose security model assumes their own dependencies might go bad — which is exactly what LavaMoat provides. For the broader pattern, read Supply-Chain Attacks and Deterministic Builds.
Spot fake wallet extensions
Stores are full of look-alikes: the right name, a copied logo, fabricated reviews, and a publisher you've never heard of. A fake wallet extension's only job is to capture your seed phrase or swap a transaction. Before installing, verify the publisher matches the project's official site, check the install count and history, and follow the download link from the project itself rather than from store search. The Chrome Web Store program policies ban impersonation, but enforcement lags publication — treat the store as a starting point, not a guarantee. And never type your seed phrase into an extension popup.
What LavaMoat does (and why SSP uses it)
Modern web apps are assembled from hundreds of third-party packages, any one of which could be compromised. LavaMoat is an open-source toolset that hardens JavaScript against exactly that: it sandboxes each third-party dependency in its own restricted environment and enforces an explicit policy of what each package may access. A single poisoned package can no longer reach across the app to read your keys, tamper with a transaction, or exfiltrate data — it's confined to the narrow surface its policy allows.
This matters because supply-chain attacks target the dependency, not the headline project. SSP's browser extension is built with LavaMoat, so even if a transitive dependency is compromised upstream, the blast radius is contained rather than handed the keys to your wallet. It's defense in depth applied to the one risk you can't personally audit: the code other people wrote. For why this class of attack earns its own playbook, OWASP catalogs supply-chain and injection risks in its guidance at owasp.org.
Where SSP's 2-of-2 backstops a bad extension
Here is the honest, load-bearing point. Suppose the worst case happens anyway and your browser extension is fully compromised. It can still only do half the job.
SSP is a 2-of-2 multisig. Every transaction needs two independent signatures — one from the browser extension and one from the SSP Key on your phone, a separate device with its own screen. A compromised extension can build a malicious transaction, but it cannot produce the second signature. When the request reaches your phone, you see the real destination and amount on a surface the extension doesn't control, and you reject it. The attacker is left with one signature on a transaction that will never broadcast.
That's a real, structural backstop, not a marketing line — and it's exactly why two independent approval surfaces beat one. It is also not a license to run a dirty browser. The second key protects the moment of signing; it doesn't stop a clipboard swap you confirm by hand, and it doesn't undo bad habits elsewhere. Treat it as your last line of defense, not your only one. To see where even multisig has limits, read Multisig Failure Modes and How SSP Mitigates Them and What Happens If One of Your Keys Is Compromised.
A quick extension audit
Run this in five minutes today, then once a quarter:
- Open your browser's extensions page and list everything installed.
- Remove every extension you haven't used in the last month.
- For each survivor, confirm the publisher matches the project's official site.
- Check the permissions each one holds, and uninstall anything over-privileged for what it does.
- Move your wallet into a dedicated, crypto-only profile if it isn't already there.
- Confirm your wallet extension comes from the official source and, where available, is hardened with LavaMoat.
Keep going
Browser hygiene is one layer. Pair it with phishing awareness, sane seed-phrase storage, and a clear understanding of how your wallet's keys are split. Strong habits plus SSP's 2-of-2 architecture mean a single bad extension is an inconvenience, not a catastrophe — but the habits still have to be yours.
