Chrome Extensions Leak Sensitive Data
Chrome extensions leak user data due to insecure practices. Many popular extensions send info over unencrypted HTTP. For example, they expose API keys and machine IDs to attackers. This flaw puts privacy and security at risk for millions of users.
How Data Gets Exposed
Some extensions transmit browsing domains and OS details in plaintext. Others use hard-coded credentials in their code. As a result, attackers on public Wi-Fi can intercept this data. This vulnerability even allows modification of the transmitted information.
Specific Extensions Affected
SEMRush Rank and PI Rank call unencrypted URLs like “rank.trellian[.]com.” Browsec VPN sends uninstall data over HTTP to an Amazon S3 site. Additionally, MSN extensions share unique machine IDs with “g.ceipmsn[.]com.” These leaks happen without user knowledge.
Hard-Coded Secrets Uncovered
Extensions like Equatio embed Microsoft Azure API keys in their code. Online Security and AVG expose Google Analytics secrets. For instance, Awesome Screen Recorder leaks AWS access keys. Consequently, attackers can exploit these keys for malicious purposes.
Risks to Users and Developers
Exposed keys let attackers inflate API costs or host illegal content. Password managers lose trust by using unencrypted telemetry. A report notes only a few users are affected, but the risk remains. Therefore, even small misconfigurations can cause big problems.
Broader Security Concerns
Over 90 extensions using InboxSDK share similar vulnerabilities. Popular tools with large user bases still neglect encryption. Moreover, unencrypted traffic enables profiling and targeted attacks. This highlights a widespread issue in extension development.
Impact on Trust and Safety
These flaws erode user confidence in Chrome extensions. Developers face bans or financial losses from exploited keys. As a result, users should remove risky extensions until fixes arrive. The lesson stresses the need for secure coding practices.
Preventing Data Exposure Risks
To avoid risks, check extension reviews and developer reputation. For example, prefer HTTPS-only extensions from trusted sources. Regularly update browsers to patch vulnerabilities and avoid public Wi-Fi without a VPN. Additionally, report suspicious extensions and use threat intelligence tools to enhance safety. These steps help protect your data from leaks.
Sleep well, we got you covered.
