Popular Chrome Extensions Expose User Data Through Insecure Communications and Embedded Secrets

Security analysts have discovered significant vulnerabilities in numerous widely-used Google Chrome browser extensions that compromise user privacy through unencrypted data transmission and exposed authentication credentials embedded within their source code.

Symantec's Security Technology and Response team researcher Yuanjing Guo revealed that multiple high-profile extensions inadvertently send sensitive information over unprotected HTTP connections rather than encrypted HTTPS protocols. This practice exposes critical user data including website domains visited, device identifiers, system specifications, usage statistics, and software removal activities in readable plaintext format.

The use of unencrypted communication channels creates additional security vulnerabilities, particularly susceptibility to man-in-the-middle interception attacks. Malicious actors operating on shared networks, such as public wireless hotspots, can easily capture and potentially manipulate this transmitted data, leading to more severe security compromises.

Extensions Transmitting Data Insecurely

Several prominent extensions were identified as transmitting sensitive information without encryption:

SEMRush Rank and PI Rank extensions communicate with "rank.trellian[.]com" using unsecured HTTP connections for ranking data requests.

Browsec VPN employs HTTP when contacting an uninstallation tracking URL hosted on Amazon's AWS infrastructure whenever users attempt to remove the extension.

MSN New Tab and MSN Homepage, Bing Search & News extensions send unique device identifiers and system information through HTTP to Microsoft's telemetry servers at "g.ceipmsn[.]com".

DualSafe Password Manager & Digital Vault creates HTTP-based requests to "stats.itopupdate[.]com" containing extension version details, browser language preferences, and usage pattern information.

Guo emphasized particular concern regarding the password manager's security practices, noting that while actual credentials don't appear compromised, the use of unencrypted telemetry communications undermines confidence in the application's overall security architecture.

Hard-Coded Credentials Discovered

Beyond unencrypted communications, researchers uncovered another category of security flaws involving authentication secrets directly embedded within extension JavaScript code, creating opportunities for malicious exploitation:

Online Security & Privacy, AVG Online Security, Speed Dial [FVD], and SellerSprite extensions contain exposed Google Analytics 4 API secrets that attackers could exploit to corrupt analytics data through request flooding.

Equatio – Math Made Digital embeds a Microsoft Azure API key for speech recognition services, potentially allowing attackers to generate excessive charges or exhaust usage quotas.

Awesome Screen Recorder and Scrolling Screenshot Tool expose Amazon Web Services access credentials used for uploading captured images to developer storage buckets.

Microsoft Editor contains an exposed telemetry key labeled "StatsApiKey" used for collecting user analytics data.

Antidote Connector incorporates the InboxSDK third-party library containing hard-coded authentication credentials and API keys.

Watch2Gether exposes a Tenor GIF search API key within its code structure.

Trust Wallet contains exposed API credentials for Ramp Network, a cryptocurrency platform enabling direct wallet transactions.

TravelArrow exposes geolocation API keys when querying "ip-api[.]com" for location services.

Widespread Impact and Recommendations

The discovery of embedded credentials in Antidote Connector raises broader concerns, as over 90 extensions utilize the same InboxSDK library, potentially inheriting identical vulnerabilities. Symantec has not disclosed the complete list of affected extensions.

Attackers discovering these exposed credentials could exploit them for various malicious purposes including inflating API usage costs, hosting prohibited content, transmitting fraudulent telemetry information, and creating fake cryptocurrency transactions, potentially resulting in developer account suspensions.

Security experts recommend immediate implementation of several protective measures: transitioning all data communications to HTTPS encryption, storing authentication credentials securely on backend servers using dedicated credential management systems, and implementing regular credential rotation policies to minimize exposure risks.

The research highlights how even extensions with substantial user bases can contain fundamental security misconfigurations and credential management failures, directly endangering user privacy and security.

Symantec advises users to consider removing affected extensions until developers implement proper security measures for HTTP communications. The company emphasizes that the identified risks extend beyond theoretical concerns, as unencrypted network traffic can be easily intercepted and exploited for user profiling, phishing campaigns, and targeted attack strategies.

The findings underscore that popularity and brand recognition do not guarantee adherence to security best practices, emphasizing the importance of thorough security evaluation for all browser extensions regardless of their market presence or developer reputation.