- Cyber Syrup
- Posts
- Popular Chrome Extensions Found Exposing User Data Through Insecure HTTP and Hard-Coded Secrets
Popular Chrome Extensions Found Exposing User Data Through Insecure HTTP and Hard-Coded Secrets
Cybersecurity researchers from Symantec have uncovered several popular Google Chrome extensions that expose users to security and privacy risks due to insecure data transmission practices and poor credential management
Sponsored by
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Looking for unbiased, fact-based news? Join 1440 today.
Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.
Popular Chrome Extensions Found Exposing User Data Through Insecure HTTP and Hard-Coded Secrets
Cybersecurity researchers from Symantec have uncovered several popular Google Chrome extensions that expose users to security and privacy risks due to insecure data transmission practices and poor credential management.
These extensions, some with hundreds of thousands of downloads, were found transmitting sensitive information over HTTP and embedding hard-coded API secrets directly into their code — making them vulnerable to data interception and abuse.
Insecure Data Transmission Over HTTP
Several extensions were discovered sending telemetry data over unencrypted HTTP, exposing it to potential interception in adversary-in-the-middle (AitM) attacks, especially on public networks.
Key extensions include:
SEMRush Rank and PI Rank – Send requests to
rank.trellian[.]comover HTTP.Browsec VPN – Calls an uninstall URL hosted at Amazon S3 over HTTP.
MSN New Tab and MSN Homepage, Bing Search & News – Transmit machine IDs and system data to
g.ceipmsn[.]com.DualSafe Password Manager – Sends extension version and usage data to
stats.itopupdate[.]comvia HTTP.
While no passwords or credentials were exposed, Symantec warns that any plaintext transmission weakens trust, especially for tools like password managers.
Hard-Coded Secrets in Extension Code
More concerningly, Symantec found numerous extensions embedding sensitive keys in their JavaScript code, potentially giving attackers free rein over third-party services:
Analytics API Secrets: Extensions like Online Security & Privacy and AVG Online Security contain Google Analytics 4 (GA4) secrets.
Cloud Service Keys: Equatio exposes a Microsoft Azure speech key, and screen recorder extensions leak AWS S3 credentials.
Cryptocurrency APIs: Trust Wallet reveals a Ramp Network crypto API key.
Geolocation and Search Services: TravelArrow exposes a geolocation API key, and Watch2Gether leaks a Tenor GIF API key.
Notably, Antidote Connector and more than 90 other extensions use a third-party library, InboxSDK, which includes hard-coded API credentials, further compounding the risk.
Why This Matters
Exposed API keys can be exploited by attackers to:
Send spoofed telemetry
Inflate cloud hosting bills
Host malicious content
Execute unauthorized actions (e.g., simulate crypto transactions)
This not only impacts end users but can also disrupt services and damage reputations of the extension developers.
Recommendations
For Developers:
Use HTTPS for all network communications
Store secrets securely on backend servers
Regularly rotate API keys and monitor usage
For Users:
Review and remove extensions that transmit data over HTTP
Be wary of extensions that request excessive permissions
Stay informed about updates or advisories from trusted cybersecurity firms
Final Thoughts
This incident serves as a reminder that a large install base doesn’t guarantee secure development practices. Chrome extensions should be held to the same rigorous standards as any other software—especially when they handle sensitive user data.