Source: Security Circle
Cybersecurity researchers have discovered serious security vulnerabilities in several popular Google Chrome extensions: transmitting data over HTTP in plaintext and hardcoding keys in the code, putting user privacy and security at risk. Symantec’s Security Technology Response Team researcher pointed out: “Several widely used extensions transmit sensitive data via unencrypted HTTP protocols, exposing browsing domain names, device IDs, operating system information, usage analytics data, and even uninstallation records in plaintext.”
This unencrypted network traffic makes it highly susceptible to man-in-the-middle (AitM) attacks. Malicious attackers can intercept or even tamper with data on open networks like public Wi-Fi, leading to more severe consequences. Below is a list of extensions that pose risks:
HTTP Transmission Vulnerability Extensions
- SEMRush Rank (ID: idbhoeaiokcojcgappfigpifhpkjgmab) and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl): making HTTP calls to “rank.trellian[.]com”
- Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh): accessing uninstallation links via HTTP upon uninstallation
- MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) and MSN Homepage, Bing Search, and News (ID: midiombanaceofjhodpdibeppmnamfcj): sending device unique identifiers to “g.ceipmsn[.]com” via HTTP
- DualSafe Password Manager and Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc): sending HTTP requests containing extension version, browser language, etc. to “stats.itopupdate[.]com”
Researchers specifically noted: “Password managers transmit telemetry data using unencrypted requests, severely undermining user trust in their security.”
Hardcoded Key Risk Extensions
- Online Security & Privacy (ID: gomekmidlodglbbmalcneegieacbdmki), AVG Online Security (ID: nbmoafcmbajniiapeidgficgifbfmjfo), etc.: exposing Google Analytics 4 keys, allowing attackers to spoof data and inflate analytics costs
- Equatio Math Tool (ID: hjngolefdpdnooamgdldlkjgmdcmcjnc): embedding Azure Speech Recognition API keys, potentially leading to skyrocketing developer service costs
- Awesome Screenshot Tool (ID: nlipoenfbbikpbjkfpfillcgkoblgpmj), etc.: leaking AWS S3 access keys, allowing attackers to upload files illegally
- Microsoft Editor (ID: gpaiobkfhnonedkhhfjpmhdalgeoebfa): exposing telemetry key “StatsApiKey”
- Antidote Connector (ID: lmbopdiikkamfphhgcckcjhojnokgfeo): third-party library InboxSDK contains hardcoded API keys (affecting over 90 extensions)
- Trust Wallet (ID: egjidjbpglichdcondbcbdnbeeppgdph): leaking fiat channel API keys, allowing spoofing of cryptocurrency transactions
Attackers exploiting these keys could lead to skyrocketing API service costs, hosting illegal content, spoofing telemetry data, and even getting developer accounts banned.
Researchers emphasize: “From GA4 keys to Azure speech keys, these cases demonstrate that a few lines of code can jeopardize an entire service. The core solution is to never store sensitive credentials on the client side.” Developers should take three key measures:
- Enable HTTPS data transmission comprehensively
- Securely store keys on backend servers using credential management services
- Regularly rotate keys to reduce risk
Symantec warns users: “Such risks are not theoretical—unencrypted traffic can be easily intercepted, and data may be used for user profiling, phishing attacks, and other targeted attacks. It is recommended to immediately uninstall extensions with unsafe calls until developers complete fixes.” This incident reveals a critical lesson: installation volume or brand recognition cannot equate to the level of security practices; users must rigorously review the protocol types and data sharing behaviors of extensions.
Copyright Statement: Content sourced from the internet, copyright belongs to the original author. Unless unable to confirm, we will indicate the author and source; if there is any infringement, please inform us, and we will delete it immediately and apologize.Wishing every reader a happy life!
The technologies, ideas, and tools mentioned in the articles published or reprinted by this public account are for learning and communication purposes only, and no one may use them for illegal purposes or profit, otherwise, the consequences will be borne by themselves!
Recommended Reading
*Note! Do not believe in harmful information related to the college entrance examination! Three departments will conduct strict investigations→
*”National Cyber Identity Authentication Public Service Management Measures” legislative seminar held at Renmin University of China
*Microsoft collaborates with international law enforcement to dismantle the Lumma malware gang, seizing over 2000 malicious domains
