Security researchers from Symantec have revealed that numerous widely-used Google Chrome extensions are compromising user privacy by transmitting sensitive information through unencrypted HTTP connections and embedding API keys and tokens directly in their source code.

According to Yuanjing Guo of Symantec’s Security Technology and Response team, many of these extensions leak critical data — including browsing domains, operating system information, unique machine IDs, and telemetry — in plaintext. This exposes users to Adversary-in-the-Middle (AitM) attacks, particularly on unsecured networks like public Wi-Fi, where bad actors can intercept or tamper with this data.

⚠️ Extensions Sending Data Over HTTP Include:

  • SEMRush Rank and PI Rank: Connect to “rank.trellian[.]com” via HTTP.
  • Browsec VPN: Sends uninstall information through an HTTP endpoint on AWS.
  • MSN New Tab and MSN Homepage & Bing Search: Share user identifiers with “g.ceipmsn[.]com”.
  • DualSafe Password Manager: Sends analytics data over HTTP to “stats.itopupdate[.]com”.

Even though no passwords were directly leaked, the use of insecure telemetry in a password manager raises serious concerns.

🔐 Extensions with Hard-Coded Secrets Include:

  • Online Security & Privacy, AVG Online Security, and others: Expose Google Analytics 4 secrets.
  • Equatio – Math Made Digital: Contains a Microsoft Azure key.
  • Awesome Screen Recorder and Scrolling Screenshot Tool: Embed AWS access keys.
  • Microsoft Editor: Reveals a telemetry key for analytics.
  • Antidote Connector: Includes hard-coded credentials via the InboxSDK library, which is used in over 90 other undisclosed extensions.
  • Watch2Gether: Leaks a Tenor API key.
  • Trust Wallet: Exposes an API key from Ramp Network, a crypto platform.
  • TravelArrow: Reveals a geolocation API key used for IP-based queries.

These embedded keys could be exploited by attackers to spam services, inflate usage bills, or even mimic user interactions with crypto platforms.

🔒 Symantec’s Recommendations:

Developers should:

  • Switch to HTTPS for all communications.
  • Store sensitive credentials in secure backend services.
  • Regularly rotate API keys and secrets.

For users, the advice is clear: uninstall affected extensions until fixes are implemented. A popular name or high install count does not guarantee security.

“Even a few lines of insecure code can jeopardize user trust and expose entire platforms to attack,” Guo emphasized.

Search
Recent News
Delhi Metro to Start Services at 4
  • 20 June, 2025
  • 2 min read
OTT Releases This Weekend: Top New Movies
  • 20 June, 2025
  • 2 min read
Trojanized GitHub Repositories Target Gamers and Developers
  • 20 June, 2025
  • 3 min read
Indian Funds in Swiss Banks Tripled in
  • 20 June, 2025
  • 3 min read
5 Yoga Poses to Boost Gut Health
  • 20 June, 2025
  • 3 min read
Roles and Responsibilities of a Brigadier in
  • 20 June, 2025
  • 3 min read
Metro Extension to Ahmedabad Airport Awaits Final
  • 20 June, 2025
  • 2 min read
India Launches Evacuation Flights from Iran Under
  • 20 June, 2025
  • 2 min read
Featured Videos
Lucy 2 Fan Concept Trailer Imagines Scarlett
Game of Thrones: Kingsroad RPG Set to
Baby Elephant’s Adorable Struggle to Wake Up
All Tags
Akshar Yoga Kendraa Auto Bike Taxi Bike Taxi VS Auto Breaking News Elon musk Energy Grand Master Akshar Indian Wild Life International Yoga Day 2025 Job issues Life Style Mental Health NASA Rapido Recycle Space Sports Stock market Summer Taxi taxi fair in banglore Tech Worker Tesla Tiger whether alert X Yoga Yoga challenge

Related Posts

Cybersecurity Technology
Trojanized GitHub Repositories Target Gamers and Developers in Expanding Malware Campaign
IT Industry Tech & Gadgets Tech Culture Technology
Bengaluru Tech Worker Hospitalised After Alleged Harassment by CEO and HR Even Post-Resignation
Technology
Yoast SEO Fixes AI Bug That Secretly Inserted HTML Markup in WordPress Content
Technology
Narayana Murthy Credits ChatGPT for Boosting His Lecture Prep Speed by 5X

© 2025. All rights reserved