Cybersecurity researchers have flagged several popular Google Chrome extensions that transmit sensitive user data using unencrypted plain HTTP connections. These widely used extensions unintentionally expose Browse domains, unique machine IDs, operating system details, usage analytics, and even uninstall information. This complete lack of encryption makes them highly susceptible to adversary-in-the-middle attacks, allowing bad actors to intercept data. Malicious actors on public Wi-Fi could even modify this data in transit, which could lead to far more serious consequences. Affected extensions include SEMRush Rank, Browsec VPN, MSN New Tab, and even the DualSafe Password Manager, which erodes overall user trust.
Symantec’s security response team also identified another significant set of extensions that contain various hard-coded secrets directly within their JavaScript code.
These various embedded secrets include numerous different API keys and other sensitive tokens that an attacker could potentially weaponize for their own benefit. For example, popular extensions like AVG Online Security and SellerSprite were found to expose a hard-coded Google Analytics 4 API secret. Another extension, Equatio, embeds a Microsoft Azure API key that is used for its speech recognition features, which could be abused. Even extensions from Microsoft and popular wallets like Trust Wallet were unfortunately found to expose various API keys in their code.
Attackers who manage to find these hard-coded keys could then easily weaponize them to rapidly drive up API costs for the developers.
They could also potentially host various forms of illegal content using the compromised keys or send spoofed telemetry data to corrupt analytics. In some cases, the abuse of these keys could even see the legitimate developer’s account getting banned from essential third-party services. Adding to this significant concern, the Antidote Connector extension is just one of over ninety extensions that use the vulnerable InboxSDK library. This unfortunately means that many other browser extensions are also susceptible to exactly the same hard-coded credential exposure security problem.
These important research findings clearly show how very popular extensions with huge user bases can suffer from trivial misconfigurations and blunders. Researchers strongly recommend that all developers should immediately switch to HTTPS whenever they are sending or receiving any sensitive user data. They should also securely store their valuable credentials in a backend server and also regularly rotate all their secrets to minimize further risks. Users of these identified extensions should seriously consider removing them from their browsers until the developers address these insecure HTTP calls. A large install base or a well-known brand does not necessarily guarantee best security practices are in use by the developer.
Reference:
