Cybersecurity researchers have flagged several popular Google Chrome extensions known to send data over HTTP and send hardcode secrets in code, putting users at privacy and security risks.
“Some widely used extensions (…) unintentionally send sensitive data over simple HTTP,” said Yuanjing Guo, security researcher with Symantec’s security technology and response team. “In doing so, you can publish your browsing domain, machine ID, operating system details, usage analysis, and even information in plain text.”
The fact that network traffic is not encrypted means they are susceptible to intermediate (AITM) attacks, allowing malicious actors on the same network, such as public Wi-Fi, to intercept and, worse still, to modify this data.
A list of identified extensions can be found below –
- Semrush rank (Extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and pi rank (id: ccgdboldgdlngcgfdolahmiilojmfndl).
- browsec vpn (id:omghfjlpggmjjaagoclmmobgdodcjboh) uses http to invoke the uninstall URL at “browsec-uninstall.s3-website.eu-central-1.amazonaws(.)com” when the user tries to extend the extension.
- MSN New Tab (ID: LKLFBKDIGIHJAAEAMNCIBECHHGALLDGL) and MSN HomePage, Bing Search & News (ID: Midiombanaceofjhodpdibeppmnamfcj).
- Dualsafe Password Manager & Digital Vault (ID: LGBJHDKJMPGJGCBCDLHKOKKKPJMEDGC). It constructs an HTTP-based URL request for “stats.itopupdate(.)com” along with information about the extended version, the user’s browser language, and usage “type”.
“While the credentials and passwords don’t appear to be leaked, the fact that the password manager uses unencrypted requests for telemetry erodes trust with an overall security attitude,” Guo said.
Symantec also identified another extension using API keys, secrets and tokens embedded directly in JavaScript code.
- Online Security and Privacy Extension (ID: gomekmidlodglbbbmalcneegiecbdmki), AVG Online Security (ID: nbmoafcmbajniiapeidgficgifbfmjfo), Speed Dial (FVD) – New Tab Page, 3D, Sync Tool (ID: LNBMBGOCENENHHHHDOJDIELGNMEFLBNFB), Hardcoded Google Analytics 4 (GA4) API Secrets that can be used by attackers to attack GA4 endpoints and corrupted metrics
- equitio – Mathematics has become digital (ID: HJNGOLEFDPDNOOAMGDLDLKJGMDCMCJNC) embeds Microsoft Azure API keys used for speech recognition that can be used by attackers to inflate developer costs or exhaust usage restrictions
- Amazing screen recorder and screenshots Scroll through (ID: NLIPOENFBBIKPBJKFPFILLCGKOBLGPMJ) and Screenshot Tools and Screen Capture (ID: MFPIAEHGJBBBFEDNOOIHADALHEHEHAHCJO).
- Microsoft Editor – Spell & Glamour Checker (ID: GPAIOBKFHNONEDKHHFJPMHDALGEOEBFA), a telemetry key named “StatSapikey” is published to record user data for analysis.
- Antidote Connector (ID: LMBOPDIIKKAMFHGCCKCKCJHOJNOKGFEO). It incorporates a third-party library called the InboxSDK, which contains hard-coded credentials that include API keys.
- watch2gether (ID: CIMPFFIMGEIPDHNHJOHJOHPBEHJKCDPJOLG), this exposes the tenor gif search API key
- Trust Wallet (ID: egjidjbpglichdcondbcbdnbeeppgdph). It exposes wallet developers an API key associated with the RAMP network, a web3 platform that allows users to buy and sell Crypto directly from the app.
- TravelArrow – Virtual Travel Agent (ID: COPLMFNPHAHPCKNBCHEHDIKBDIEONN).
Attackers who end up finding these keys can equip them with weapons to reduce API costs, host illegal content, send spoofed telemetry data, and mimic cryptocurrency trading orders.
In addition to concerns, the Antidote Connector is just one of over 90 extensions that use the InboxSDK. This means that other extensions are more susceptible to the same problem. The names of other extensions have not been disclosed by Symantec.
“From Ga4 Analytics secrets to Azure Speech Keys and AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can put an entire service at risk,” says Guo. “Solution: Do not store client-side sensitive credentials.”
Developers recommend switching to HTTPS every time they send or receive data, and using Credential Management Services to securely store credentials on the backend server, rotating secrets regularly to further minimize risk.
The findings show how even popular extensions with hundreds of thousands of installations suffer from minor misunderstandings and security failures like hardcoded credentials, putting user data at risk.
“Users of these extensions should consider removing them until the developer deals with unstable (HTTP) calls,” the company said. “The risk is not theoretical. Unencrypted traffic can be easily captured and data can be used for profiling, phishing or other targeted attacks.”
“The comprehensive lesson is that large install bases or well-known brands don’t necessarily guarantee best practices regarding encryption. You need to scrutinize your extensions for the protocols and shared data you use to ensure that your information remains truly secure.”
