Cybersecurity researchers have raised concerns about several widely used Google Chrome
extensions that transmit data using unencrypted HTTP and include hard-coded secrets in their code, potentially exposing users to serious privacy and security risks.
According to Yuanjing Guo, a security researcher on Symantec's Security Technology and Response team, "Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP. By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext."
Because the network traffic is not encrypted, it becomes vulnerable to adversary-in-the-middle (AitM) attacks. Malicious actors sharing the same network, such as a public Wi-Fi, could intercept or even alter this data, potentially leading to more serious consequences. The extensions identified include:
- SEMRush Rank (ID: idbhoeaiokcojcgappfigpifhpkjgmab) and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl), which connect to rank.trellian[.]com using plain HTTP
- Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh), which uses HTTP to reach an uninstall URL at browsec-uninstall.s3-website.eu-central-1.amazonaws[.]com
- MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) and MSN Homepage, Bing Search & News (ID: midiombanaceofjhodpdibeppmnamfcj), which send unique machine identifiers and other details via HTTP to g.ceipmsn[.]com
- DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc), which makes HTTP requests to stats.itopupdate[.]com containing extension version, browser language, and usage data
While no credentials or passwords appear to have been leaked, Guo noted that using unencrypted telemetry in a password manager undermines trust in its security.
Symantec also discovered another group of extensions with API keys, secrets, and tokens embedded in the JavaScript code. This allows attackers to forge malicious requests and perform unauthorized actions. Examples include:
- Online Security & Privacy (ID: gomekmidlodglbbmalcneegieacbdmki), AVG Online Security (ID: nbmoafcmbajniiapeidgficgifbfmjfo), Speed Dial [FVD] – New Tab Page, 3D, Sync (ID: llaficoajjainaijghjlofdfmbjpebpa), and SellerSprite – Amazon Research Tool (ID: lnbmbgocenenhhhdojdielgnmeflbnfb), which contain a Google Analytics 4 (GA4) API secret
- Equatio – Math Made Digital (ID: hjngolefdpdnooamgdldlkjgmdcmcjnc), which contains a Microsoft Azure API key for speech recognition
- Awesome Screen Recorder & Screenshot (ID: nlipoenfbbikpbjkfpfillcgkoblgpmj) and Scrolling Screenshot Tool & Screen Capture (ID: mfpiaehgjbbfednooihadalhehabhcjo), which expose AWS access keys used to upload screenshots
- Microsoft Editor – Spelling & Grammar Checker (ID: gpaiobkfhnonedkhhfjpmhdalgeoebfa), which includes a telemetry key labeled "StatsApiKey"
- Antidote Connector (ID: lmbopdiikkamfphhgcckcjhojnokgfeo), which uses the InboxSDK library containing hard-coded credentials
- Watch2Gether (ID: cimpffimgeipdhnhjohpbehjkcdpjolg), which reveals a Tenor GIF search API key
- Trust Wallet (ID: egjidjbpglichdcondbcbdnbeeppgdph), which leaks an API key tied to the Ramp Network platform
- TravelArrow – Your Virtual Travel Agent (ID: coplmfnphahpcknbchcehdikbdieognn), which exposes a geolocation API key for ip-api[.]com
Attackers could exploit these keys to inflate API usage costs, host illegal content, spoof telemetry data, or impersonate cryptocurrency transactions, any of which might lead to the developer's account being suspended.
Symantec highlighted that Antidote Connector is only one of over 90 extensions using InboxSDK, suggesting many others may have similar vulnerabilities. The company did not provide a full list of those affected. Guo emphasized, “From GA4 analytics secrets to Azure speech keys, and from AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can jeopardize an entire service. The solution is to never store sensitive credentials on the client side.”
Developers are advised to always use HTTPS when transmitting data, store credentials securely on backend servers using a credential management service, and rotate secrets regularly to minimize risks.
This incident illustrates how even popular extensions with hundreds of thousands of users can suffer from basic misconfigurations and security oversights, placing user data in jeopardy.
Symantec advises users to remove these extensions until the developers address the insecure HTTP calls. The company warned that the risks are very real since unencrypted traffic is easy to capture and could be exploited for profiling, phishing, or targeted attacks.
The broader takeaway is that a large user base or a well-known name does not guarantee strong security practices. Users and developers alike should carefully evaluate the protocols and data handling methods used by browser extensions to ensure that sensitive information remains protected.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
