API key leaks in popular extensions

Recent cybersecurity research has uncovered significant vulnerabilities in several widely-used Google Chrome extensions, which transmit sensitive user data over unencrypted HTTP and contain hardcoded credentials. This exposes users to potential privacy breaches and security threats.

Yuanjing Guo, a researcher from Symantec's Security Technology and Response team, highlighted that these extensions inadvertently send sensitive information, including browsing domains and machine IDs, in plaintext. This unencrypted traffic is particularly vulnerable to adversary-in-the-middle (AitM) attacks, where malicious actors on the same network can intercept or alter the data.

Notable extensions identified include:

SEMRush Rank and PI Rank: Transmit data to "rank.trellian[.]com" over HTTP.
Browsec VPN: Uses HTTP for uninstall requests.
MSN New Tab and MSN Homepage: Send unique machine identifiers to "g.ceipmsn[.]com".
DualSafe Password Manager: Sends telemetry data to "stats.itopupdate[.]com" via HTTP.
While no passwords were leaked, the use of unencrypted requests by a password manager raises concerns about its security integrity.

Additionally, several extensions were found to have hardcoded API keys and secrets in their JavaScript code, which attackers could exploit. Examples include:

Online Security & Privacy: Exposes a Google Analytics 4 API secret.
Equatio: Contains a Microsoft Azure API key for speech recognition.
Awesome Screen Recorder: Reveals an AWS access key.
These vulnerabilities could lead to increased API costs, unauthorized content hosting, and other malicious activities.

Developers are urged to adopt HTTPS for data transmission, securely store credentials on backend servers, and regularly update secrets to mitigate risks. Users are advised to remove these extensions until developers address the security flaws, as unencrypted traffic can be easily captured and exploited.

The findings emphasize that even popular extensions can have serious security oversights, underscoring the need for vigilance regarding data protection practices.