Critical Vulnerabilities in Widely Used Chrome Extensions: Exposing API Keys and User Data Through HTTP and Hardcoded Credentials

Cybersecurity researchers have identified multiple popular Google Chrome extensions that transmit data using HTTP and contain hard-coded secrets within their code, thereby exposing users to significant privacy and security vulnerabilities.

Yuanjing Guo, a researcher from Symantec’s Security Technology and Response team, noted that several widely used extensions unintentionally transmit sensitive data over unencrypted HTTP. This exposure includes browsing domains, machine IDs, operating system details, usage analytics, and even uninstallation information in plaintext.

The unencrypted nature of this network traffic renders these extensions vulnerable to Adversary-in-the-Middle (AitM) attacks, where malicious actors on the same network, such as public Wi-Fi hotspots, can intercept and potentially alter this data, which may lead to more severe consequences.

The following extensions have been flagged:

• SEMRush Rank (extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl), both making calls to “rank.trellian[.]com” over plain HTTP.
• Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh), utilizing HTTP when calling an uninstall URL at “browsec-uninstall.s3-website.eu-central-1.amazonaws[.]com” upon user uninstallation requests.
• MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) and MSN Homepage, Bing Search & News (ID: midiombanaceofjhodpdibeppmnamfcj), which send a unique machine identifier and additional details to “g.ceipmsn[.]com” over HTTP.
• DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc), constructing an HTTP request to “stats.itopupdate[.]com” that includes information such as the extension version and user’s browser language.

While credentials or passwords do not appear to be disclosed, Guo emphasized that the use of unencrypted requests for telemetry significantly undermines a password manager’s security integrity.

Moreover, Symantec has identified extensions that contain API keys, secrets, and tokens embedded directly in their JavaScript code. These vulnerabilities could be exploited by attackers to execute various malicious actions:

• Online Security & Privacy extension (ID: gomekmidlodglbbmalcneegieacbdmki), AVG Online Security (ID: nbmoafcmbajniiapeidgficgifbfmjfo), Speed Dial [FVD] – New Tab Page, 3D, Sync (ID: llaficoajjainaijghjlofdfmbjpebpa), and SellerSprite – Amazon Research Tool (ID: lnbmbgocenenhhhdojdielgnmeflbnfb), which expose a hard-coded Google Analytics 4 (GA4) API secret that attackers could misuse to manipulate metrics.
• Equatio – Math Made Digital (ID: hjngolefdpdnooamgdldlkjgmdcmcjnc), embedding a Microsoft Azure API key for speech recognition that could be abused to inflate costs for the developer.
• Awesome Screen Recorder & Screenshot (ID: nlipoenfbbikpbjkfpfillcgkoblgpmj) and Scrolling Screenshot Tool & Screen Capture (ID: mfpiaehgjbbfednooihadalhehabhcjo), disclosing the developer’s Amazon Web Services (AWS) access key meant for uploading screenshots to their S3 bucket.
• Microsoft Editor – Spelling & Grammar Checker (ID: gpaiobkfhnonedkhhfjpmhdalgeoebfa), which reveals a telemetry key called “StatsApiKey” for logging user data for analytical purposes.
• Antidote Connector (ID: lmbopdiikkamfphhgcckcjhojnokgfeo), utilizing a third-party library, InboxSDK, containing hard-coded credentials, including API keys.
• Watch2Gether (ID: cimpffimgeipdhnhjohpbehjkcdpjolg), which reveals a Tenor GIF search API key.
• Trust Wallet (ID: egjidjbpglichdcondbcbdnbeeppgdph), exposing an API key linked to the Ramp Network, a Web3 platform allowing users to buy or sell cryptocurrencies directly.
• TravelArrow – Your Virtual Travel Agent (ID: coplmfnphahpcknbchcehdikbdieognn), which unveils a geolocation API key during queries to “ip-api[.]com”.

Compromised API keys could be exploited by attackers to inflate costs, facilitate unlawful content hosting, send fraudulent telemetry data, or replicate cryptocurrency transaction orders, potentially resulting in bans for developers.

Of particular concern is the Antidote Connector, which is among over 90 extensions utilizing InboxSDK, presenting a widespread risk due to shared vulnerabilities. The identities of other susceptible extensions have not been disclosed.

Guo highlighted that the issue of leaking sensitive keys, ranging from GA4 analytics to Azure speech keys, reflects the risks associated with poor coding practices. Developers are urged to avoid storing sensitive credentials on the client side. Recommendations include migrating to HTTPS for data transmission, securely storing credentials on backend servers using dedicated management services, and regularly rotating secrets to further reduce risks.

This situation exemplifies how even widely adopted extensions with substantial installations can fall prey to simple misconfigurations and significant security oversights, putting user data at risk.

Users of the affected extensions are advised to consider removing them until the developers rectify these security gaps. The risk of unencrypted traffic is tangible, as it can be easily intercepted, leading to data profiling, phishing, and other targeted cyber threats.

The overarching lesson is that a strong install base or a reputable brand does not guarantee adherence to best practices in encryption. It is crucial for extensions to be evaluated for the security protocols they employ and the data they communicate, ensuring the protection of user information remains a priority.