Jun 05, 2025Ravie LakshmananBrowser Safety / On-line Security
Cybersecurity researchers have flagged a number of standard Google Chrome extensions which have been discovered to transmit knowledge in HTTP and hard-code secrets and techniques of their code, exposing customers to privateness and safety dangers.
“A number of broadly used extensions […] unintentionally transmit delicate knowledge over easy HTTP,” Yuanjing Guo, a safety researcher within the Symantec’s Safety Expertise and Response staff, mentioned. “By doing so, they expose looking domains, machine IDs, working system particulars, utilization analytics, and even uninstall info, in plaintext.”
The truth that the community visitors is unencrypted additionally implies that they’re prone to adversary-in-the-middle (AitM) assaults, permitting malicious actors on the identical community comparable to a public Wi-Fi to intercept and, even worse, modify this knowledge, which may result in way more severe penalties.
The listing of recognized extensions are under –
SEMRush Rank (extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl), which name the URL “rank.trellian[.]com” over plain HTTP
Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh), which makes use of HTTP to name an uninstall URL at “browsec-uninstall.s3-website.eu-central-1.amazonaws[.]com” when a person makes an attempt to uninstall the extension
MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) and MSN Homepage, Bing Search & Information (ID: midiombanaceofjhodpdibeppmnamfcj), which transmit a singular machine identifier and different particulars over HTTP to “g.ceipmsn[.]com”
DualSafe Password Supervisor & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc), which constructs an HTTP-based URL request to “stats.itopupdate[.]com” together with details about the extension model, person’s browser language, and utilization “kind”
“Though credentials or passwords don’t look like leaked, the truth that a password supervisor makes use of unencrypted requests for telemetry erodes belief in its general safety posture,” Guo mentioned.
Symantec mentioned it additionally recognized one other set of extensions with API keys, secrets and techniques, and tokens immediately embedded within the JavaScript code, which an attacker may weaponize to craft malicious requests and perform numerous malicious actions –
On-line Safety & Privateness extension (ID: gomekmidlodglbbmalcneegieacbdmki), AVG On-line Safety (ID: nbmoafcmbajniiapeidgficgifbfmjfo), Velocity Dial [FVD] – New Tab Web page, 3D, Sync (ID: llaficoajjainaijghjlofdfmbjpebpa), and SellerSprite – Amazon Analysis Instrument (ID: lnbmbgocenenhhhdojdielgnmeflbnfb), which expose a hard-coded Google Analytics 4 (GA4) API secret that an attacker may use to bombard the GA4 endpoint and corrupt metrics
Equatio – Math Made Digital (ID: hjngolefdpdnooamgdldlkjgmdcmcjnc), which embeds a Microsoft Azure API key used for speech recognition that an attacker may use to inflate the developer’s prices or exhaust their utilization limits
Superior Display screen Recorder & Screenshot (ID: nlipoenfbbikpbjkfpfillcgkoblgpmj) and Scrolling Screenshot Instrument & Display screen Seize (ID: mfpiaehgjbbfednooihadalhehabhcjo), which expose the developer’s Amazon Internet Companies (AWS) entry key used to add screenshots to the developer’s S3 bucket
Microsoft Editor – Spelling & Grammar Checker (ID: gpaiobkfhnonedkhhfjpmhdalgeoebfa), which exposes a telemetry key named “StatsApiKey” to log person knowledge for analytics
Antidote Connector (ID: lmbopdiikkamfphhgcckcjhojnokgfeo), which includes a third-party library known as InboxSDK that comprises hard-coded credentials, together with API keys.
Watch2Gether (ID: cimpffimgeipdhnhjohpbehjkcdpjolg), which exposes a Tenor GIF search API key
Belief Pockets (ID: egjidjbpglichdcondbcbdnbeeppgdph), which exposes an API key related to the Ramp Community, a Web3 platform that provides pockets builders a technique to let customers purchase or promote crypto immediately from the app
TravelArrow – Your Digital Journey Agent (ID: coplmfnphahpcknbchcehdikbdieognn), which exposes a geolocation API key when making queries to “ip-api[.]com”
Attackers who find yourself discovering these keys may weaponize them to drive up API prices, host unlawful content material, ship spoofed telemetry knowledge, and mimic cryptocurrency transaction orders, a few of which may see the developer’s ban getting banned.
Including to the priority, Antidote Connector is only one of over 90 extensions that use InboxSDK, which means the opposite extensions are prone to the identical downside. The names of the opposite extensions weren’t disclosed by Symantec.
“From GA4 analytics secrets and techniques to Azure speech keys, and from AWS S3 credentials to Google-specific tokens, every of those snippets demonstrates how just a few strains of code can jeopardize a complete service,” Guo mentioned. “The answer: by no means retailer delicate credentials on the consumer aspect.”
Builders are advisable to modify to HTTPS every time they ship or obtain knowledge, retailer credentials securely in a backend server utilizing a credentials administration service, and repeatedly rotate secrets and techniques to additional decrease threat.
The findings present how even standard extensions with a whole lot of 1000’s of installations can undergo from trivial misconfigurations and safety blunders like hard-coded credentials, leaving customers’ knowledge in danger.
“Customers of those extensions ought to think about eradicating them till the builders deal with the insecure [HTTP] calls,” the corporate mentioned. “The chance isn’t just theoretical; unencrypted visitors is straightforward to seize, and the information can be utilized for profiling, phishing, or different focused assaults.”
“The overarching lesson is that a big set up base or a well known model doesn’t essentially guarantee greatest practices round encryption. Extensions ought to be scrutinized for the protocols they use and the information they share, to make sure customers’ info stays actually protected.”
Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.
