Chrome extension privacy promises undone by hardcoded secrets, leaky HTTP

Seemingly harmless Chrome extensions aimed at improving browser privacy and analytics could be inadvertently leaking API keys, secrets, and other sensitive machine information.  

According to a Symantec research, several widely used Chrome extensions, including DualSafe Password Manager and Avast Online Security & Privacy extension, are exposing information either through insecure HTTP transmission or hardcoded leaks.  

Yuanjing Guo, a software engineer at Symantec, said hardcoded credentials such as API keys, secrets, or tokens embedded in a browser extension’s JavaScript are among the most serious security flaws in modern development. Guo also added that popular extensions like SEMRush Rank, PI Rank, MSN New Tab/Homepage, DualSafe Password Manager, and Browsec VPN inadvertently transmit sensitive data over unencrypted HTTP.  

“This incident highlights a critical gap in extension security–even popular Chrome extensions can put users at risk if developers cut corners,” said Patrick Tiquet, vice president, security and architecture at Keeper Security. “Transmitting data over unencrypted HTTP and hard-coding secrets exposed users to profiling, phishing, and adversary-in-the-middle attacks–especially on unsecured networks.”  

Sensitive information exposed through insecure HTTP  

Transmitting sensitive data over simple (unencrypted) HTTP exposes browsing domains, machine IDs, operating system details, usage analytics, and uninstall information in plaintext.  

“Because the traffic is unencrypted, a Man-in-the-Middle (MITM) attacker on the same network can intercept and, in some cases, even modify this data, leading to far more dangerous scenarios than simple eavesdropping,” Guo said.  

From the extensions Guo mentioned, SEMRush Rank and PI Rank transmit users’ full browsing domains in plaintext to rank.trellian.com, effectively exposing their web activity. MSN New Tab/Homepage sends a persistent Machine ID, OS version, and extension version using an unencrypted SendPingDetails request, data that can be used to track users across sessions.  

Additionally, DualSafe Password Manager, while not leaking passwords, still pushes analytics like browser language and version to stats.itopupdate.com over HTTP.  

“We used to call these (extensions) BHO’s – browser helper objects – and this was a very common way to compromise browsers for various outcomes, ranging from stealing credentials and spying on users, to simply establishing ways to very uniquely identify and track users across the internet,” said BugCrowd CISO Trey Ford. “Ultimately, this can manifest as a form of malware, and unavoidably create a new attack surface for miscreants to attack and compromise a very secure browsing experience.” 

Installing suitable endpoint protection, blocking extensions from unfamiliar sites, monitoring extension permissions, and backing up data frequently were listed as a few mitigating factors against exploits targeting these exposures.  

Extension code uses hardcoded credentials

Guo added that hardcoded credentials, such as API keys, secrets, and tokens, are exposed within popular extensions’ JavaScript, making them accessible to anyone who inspects the extension’s source code.  

For instance, Avast Online Security and Privacy and AVG Online Security extensions, aimed at browsing privacy and security, both contain hardcoded Google Analytics 4 (GA4) API secrets. An attacker discovering these secrets could misuse them to send fraudulent data to the GA4 endpoint.  

Other extensions like Awesome Screen Recorder & Screenshot and Scrolling Screenshot Tool & Screen Capture reveal AWS S3 access keys in their code.  

“Hardcoding API keys and secrets directly into JavaScript makes these credentials easily accessible to attackers,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “They can exploit these keys maliciously, including inflating API costs, hosting illicit content, or replicating sensitive transactions, such as cryptocurrency orders.” 

Microsoft Editor, an AI-powered editing extension for Chrome and Edge, is also found exposing a telemetry key, StatsApiKey, which can be exploited to generate fake analytics data, potentially disrupting Microsoft’s data collection and analysis processes.