Bitcoin Address Inspector

A browser extension that automatically detects Bitcoin addresses on webpages and displays their balance, UTXO count, total received amount, and transaction count using the mempool.space API.

Note: A quick weekend project that make it easier to inspect bitcoin addresses directly in the browser. This is just the first release, tested, works... not as I would like to! For example, the popup enters in a loop and does not display the data when hovering highlighted the address. I suggest deactivating the option in the settings as show in the image below. Right click option works well, as shown in the screenshot below.

The extension is available for Chrome and FireFox (different branch for each browser). Code is open to contributions, PRs, issues, and any feedback that could help improve it.

Options	In action

Features

Automatic Detection: Recognizes all Bitcoin address formats:
- Legacy addresses (starting with 1)
- P2SH addresses (starting with 3)
- Bech32 addresses (starting with bc1)
Multiple Interaction Methods:
- Hover over highlighted addresses for instant popup
- Right-click context menu on selected addresses
- Configurable hover delay
Comprehensive Address Information:
- Current balance
- Number of UTXOs (Unspent Transaction Outputs)
- Total amount ever received
- Total transaction count
Customizable Settings:
- Enable/disable hover popups
- Enable/disable context menu
- Adjust hover delay
- Choose which information to display

view all related items

100 sats \ 5 replies \ @optimism 20 Jul

Important: we've seen over the past years that browser extensions are dangerous because they have full control over the website displayed. This means that it is trivial for an extension to modify text or images displayed. Some web products that I've worked with have had their customers suffer losses because of this and nothing they could do about it except advice their customers to never run any extensions. Unfortunately, extensions have been normalized once more in the Bitcoin space - we used to be way more security minded.

Consider this code and then this attack:

String.prototype.replace_ = String.prototype.replace
String.prototype.replace = function (pattern, fn) { 
  return String.prototype.replace_.call(this, pattern, match => fn("lulz")) 
}
"abc".replace(/a/, match => "<strong>" + match + "</strong>")
// Expected: '<strong>a</strong>bc'
// Actual: '<strong>lulz</strong>bc'

See the problem?

100 sats \ 4 replies \ @deSign_r OP 20 Jul

String.prototype.replace_ = String.prototype.replace
String.prototype.replace = function (pattern, fn) { 
  return String.prototype.replace_.call(this, pattern, match => fn("lulz")) 
}
"abc".replace(/a/, match => "<strong>" + match + "</strong>")
// Expected: '<strong>a</strong>bc'
// Actual: '<strong>lulz</strong>bc'

Thanks for sharing your experience with browser extension, this is the first time I'm dealing with it... naively! I see the problem... but this is not code from the BAI extension.

I've shared the code, is open source in github, people can check the extension source before installing it.

Or are you saying that the extension itself could be a vector attack for other scripts and attackers to be used with malicious intentions?

50 sats \ 3 replies \ @optimism 20 Jul

this is not code from the BAI extension.

No, the code is a fake exploit I wrote in 5 minutes because I don't want to publish the real exploit but you can figure out what I mean. The BAI code that this would attack is what I linked on your repo.

Luckily, thanks to fetch, you don't seem to have a supply chain outside the browser itself at a glance so in this particular extension the only way to inject the exploit would be to either introduce a dependency in a PR on your repo and then attack that, or introduce the first 4 lines of the exploit in an obscured way directly into your codebase.

However, if you normalize people installing extensions then it will be more likely that they will install other extensions that may have a much more vulnerable supply chain and with vibe coding nowadays this risk becomes much larger. For example, I could create BAI++ which looks nicer and has the vulnerability and then, when I have 10k installs, I activate the exploit.

Because there is no protection against this (extensions ignore SCP) the only solution for the past decade has been to tell everyone to never use extensions, and it still is the only solution today.

100 sats \ 2 replies \ @deSign_r OP 10h

It make totally sense. Well is a small extension I build and I trust there's no malicious code. Either way I'm just using it to check other people addresses. Your feedback on the idea and what other info could be shown will be appreciated.

21 sats \ 1 reply \ @optimism 7h

Sorry to be negative. My feedback is: don't use extensions.

If you really want to pursue it - you probably will, I get it - please make sure you don't add any external dependencies and don't accept any pull requests where you don't know what every character in the new code does.

100 sats \ 0 replies \ @deSign_r OP 4h

Thank you, I'll definitely! I much appreciate your feedback.

reply on another page

0 sats \ 2 replies \ @emoclew 20 Jul

Looks good 👍 solid effort.

What's the reason for extension and not a standalone app? Server requirements etc I'm guessing

21 sats \ 1 reply \ @deSign_r OP 20 Jul

Thanks.

Not sure what do you mean with "server requirements". The motivation came mostly because I was tired to:

open a new tab
go to any blockchain info website
search for the bitcoin address
check data related to it

So the extension, allow checking all this data with a simple right-click. Ideally I wanted it working with a simple mouse over... js is not my thingy!

0 sats \ 0 replies \ @emoclew 20 Jul

I don't know what I mean either, don't worry 🤣

Very handy bit of kit 👌