Yet it doesn't seem to really answer the question.
I get that what we're looking at a browser extension that relies on a bunch of webshit, some of which was malware.
As somebody not versed in "web3" specific webshits, I thought the point of a hardware token is that there was some kind of verification on the device itself. So this doesn't seem sufficient to "drain" a wallet - right?
My assumption would be that the computer running the malware never gets the key material directly, rather it submits some request to the hardware token, which prompts the user with the details on some external physical display. The user reviews the details, then does something in meatspace that causes the hardware token to sign the something in question and pass it back to the software on the PC.
So isn't it the case that the user would have to approve the malware drain transaction themselves? And if not... what's the point of these devices, anyway?
Not sure if anyone actually read my original post. The problem is that Ethereum transactions are not especially human readable so they are commonly signed blind. As you point out, this is a problem.
So it wasn't the case that dynamically loading and executing a blob of unreviewed third-party code containing the offending section is what was responsible for those transactions being initiated. Oh wait, it was.
Exclusively focusing on the security failures arising from end-user UI/social engineering and ignoring the failures arising from poor engineering billed as modern software development best practices is another type of failure.
I get that what we're looking at a browser extension that relies on a bunch of webshit, some of which was malware.
As somebody not versed in "web3" specific webshits, I thought the point of a hardware token is that there was some kind of verification on the device itself. So this doesn't seem sufficient to "drain" a wallet - right?
My assumption would be that the computer running the malware never gets the key material directly, rather it submits some request to the hardware token, which prompts the user with the details on some external physical display. The user reviews the details, then does something in meatspace that causes the hardware token to sign the something in question and pass it back to the software on the PC.
So isn't it the case that the user would have to approve the malware drain transaction themselves? And if not... what's the point of these devices, anyway?