{"id":3489,"date":"2025-06-09T12:15:31","date_gmt":"2025-06-09T12:15:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3489"},"modified":"2025-06-09T12:15:31","modified_gmt":"2025-06-09T12:15:31","slug":"chrome-extension-privacy-promises-undone-by-hardcoded-secrets-leaky-http","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3489","title":{"rendered":"Chrome extension privacy promises undone by hardcoded secrets, leaky HTTP"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Seemingly harmless Chrome extensions aimed at improving browser privacy and analytics could be inadvertently leaking API keys, secrets, and other sensitive machine information.\u00a0\u00a0<\/p>\n<p>According to a Symantec research, several widely used Chrome extensions, including DualSafe Password Manager and Avast Online Security &amp; Privacy extension, are exposing information either through insecure HTTP transmission or hardcoded leaks.\u00a0\u00a0<\/p>\n<p>Yuanjing Guo, a software engineer at Symantec, said hardcoded credentials such as API keys, secrets, or tokens embedded in a browser extension\u2019s JavaScript are among the most serious security flaws in modern development. Guo also added that popular extensions like SEMRush Rank, PI Rank, MSN New Tab\/Homepage, DualSafe Password Manager, and Browsec VPN inadvertently transmit sensitive data over unencrypted HTTP.\u00a0\u00a0<\/p>\n<p>\u201cThis incident highlights a critical gap in extension security\u2013even popular Chrome extensions can put users at risk if developers cut corners,\u201d said Patrick Tiquet, vice president, security and architecture at Keeper Security. \u201cTransmitting data over unencrypted HTTP and hard-coding secrets exposed users to profiling, <a href=\"https:\/\/www.csoonline.com\/article\/3993713\/secure-email-a-losing-battle-cisos-must-give-up.html?utm=hybrid_search\" target=\"_blank\" rel=\"noopener\">phishing<\/a>, and <a href=\"https:\/\/www.csoonline.com\/article\/3604557\/how-to-defend-microsoft-networks-from-adversary-in-the-middle-attacks.html?utm=hybrid_search\" target=\"_blank\" rel=\"noopener\">adversary-in-the-middle attacks<\/a>\u2013especially on unsecured networks.\u201d\u00a0\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Sensitive information exposed through insecure HTTP\u00a0\u00a0<\/h2>\n<p>Transmitting sensitive data over simple (unencrypted) HTTP exposes browsing domains, machine IDs, operating system details, usage analytics, and uninstall information in plaintext.\u00a0\u00a0<\/p>\n<p>\u201cBecause the traffic is unencrypted, a Man-in-the-Middle (<a href=\"https:\/\/www.csoonline.com\/article\/566905\/man-in-the-middle-attack-definition-and-examples.html?utm=hybrid_search\" target=\"_blank\" rel=\"noopener\">MITM<\/a>) attacker on the same network can intercept and, in some cases, even modify this data, leading to far more dangerous scenarios than simple eavesdropping,\u201d Guo <a href=\"https:\/\/www.security.com\/threat-intelligence\/chrome-extension-leaks\" target=\"_blank\" rel=\"noopener\">said<\/a>.\u00a0\u00a0<\/p>\n<p>From the extensions Guo mentioned, SEMRush Rank and PI Rank transmit users\u2019 full browsing domains in plaintext to rank.trellian.com, effectively exposing their web activity. MSN New Tab\/Homepage sends a persistent Machine ID, OS version, and extension version using an unencrypted SendPingDetails request, data that can be used to track users across sessions.\u00a0\u00a0<\/p>\n<p>Additionally, DualSafe Password Manager, while not leaking passwords, still pushes analytics like browser language and version to stats.itopupdate.com over HTTP.\u00a0\u00a0<\/p>\n<p>\u201cWe used to call these (extensions) BHO\u2019s \u2013 browser helper objects \u2013 and this was a very common way to compromise browsers for various outcomes, ranging from stealing credentials and spying on users, to simply establishing ways to very uniquely identify and track users across the internet,\u201d said BugCrowd CISO Trey Ford. \u201cUltimately, this can manifest as a form of malware, and unavoidably create a new attack surface for miscreants to attack and compromise a very secure browsing experience.\u201d\u00a0<\/p>\n<p>Installing suitable endpoint protection, blocking extensions from unfamiliar sites, monitoring extension permissions, and backing up data frequently were listed as a few mitigating factors against exploits targeting these exposures.\u00a0\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Extension code uses hardcoded credentials<\/h2>\n<p>Guo added that hardcoded credentials, such as API keys, secrets, and tokens, are exposed within popular extensions\u2019 JavaScript, making them accessible to anyone who inspects the extension\u2019s source code.\u00a0\u00a0<\/p>\n<p>For instance, Avast Online Security and Privacy and AVG Online Security extensions, aimed at browsing privacy and security, both contain hardcoded Google Analytics 4 (GA4) API secrets. An attacker discovering these secrets could misuse them to send fraudulent data to the GA4 endpoint.\u00a0\u00a0<\/p>\n<p>Other extensions like Awesome Screen Recorder &amp; Screenshot and Scrolling Screenshot Tool &amp; Screen Capture reveal AWS S3 access keys in their code.\u00a0\u00a0<\/p>\n<p>\u201cHardcoding API keys and secrets directly into JavaScript makes these credentials easily accessible to attackers,\u201d said Eric Schwake, director of cybersecurity strategy at Salt Security. \u201cThey can exploit these keys maliciously, including inflating API costs, hosting illicit content, or replicating sensitive transactions, such as cryptocurrency orders.\u201d\u00a0<\/p>\n<p>Microsoft Editor, an AI-powered editing extension for Chrome and Edge, is also found exposing a telemetry key, StatsApiKey, which can be exploited to generate fake analytics data, potentially disrupting Microsoft\u2019s data collection and analysis processes.\u00a0\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Seemingly harmless Chrome extensions aimed at improving browser privacy and analytics could be inadvertently leaking API keys, secrets, and other sensitive machine information.\u00a0\u00a0 According to a Symantec research, several widely used Chrome extensions, including DualSafe Password Manager and Avast Online Security &amp; Privacy extension, are exposing information either through insecure HTTP transmission or hardcoded leaks.\u00a0\u00a0 [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3490,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3489","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3489"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3489"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3489\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3490"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}