SlowMist Cosine: Users need to pay attention to the permission application of browser extensions and have an isolation mindset

According to ChainCatcher's message, Slow Mist Cosine posted on the X platform, saying: "For an extension to do evil, such as stealing Cookies, privacy information (such as account permission information, private key information) from the target page's localStorage, DOM tampering, request hijacking, and clipboard content acquisition, etc. You can configure the relevant permissions in the manifest.json. If users don't pay attention to the permission requests of the extension, they will be in trouble. But for an extension to do evil, trying to directly mess with other well-known wallet extensions is not easy... because of the sandbox isolation... For example, it is unlikely to directly steal the private key/seed phrase information stored in the wallet extension. If you are concerned about the permission risks of a certain extension, it is actually very easy to assess this risk. After installing the extension, you can first not use it, look up the extension ID, search for the local path on the computer, find the manifest.json file in the extension root directory, and directly throw the file content to the AI for permission risk interpretation. If you have an isolation mindset, you can consider enabling a separate Chrome Profile for strange extensions, at least the evil can be controlled, and most extensions don't need to be enabled all the time."