Critical security flaws in dozens of popular Chrome extensions, ranging from hardcoded API credentials to unencrypted data transmissions, collectively affect tens of millions of users.
These vulnerabilities expose users to risks, including financial fraud, data profiling, and analytics manipulation.
The investigations conducted by Symantec’s Security Technology and Response (STAR) team, highlight how common oversights like embedding secrets directly into JavaScript or transmitting data over unsecured HTTP remain endemic even among extensions with strong reputations and large install bases. The findings span more than 90 extensions, including well-known names like Avast Online Security, Trust Wallet, Browsec VPN, and Microsoft Editor, many of which claim to enhance user privacy or security.
Hardcoded secrets
Symantec’s first report examines how hardcoded credentials in Chrome extensions can be abused by attackers with minimal effort. Secrets such as API keys, telemetry tokens, and cloud access credentials were found embedded directly in extension code across a variety of services.
Avast Online Security (7M users) and AVG Online Security (600K users) expose their Google Analytics 4 (GA4) API secrets, allowing attackers to inject false analytics data or trigger expensive usage surges.
Symantec
Equatio – Math Made Digital (5M users) embeds a Microsoft Azure speech API key, risking unauthorized use that could drain developer resources or exhaust quotas.
Awesome Screenshot (3M users) and Scrolling Screenshot Tool (400K users) reveal AWS S3 access keys, which could be exploited to upload illicit or malicious files into the developers’ cloud buckets.
Trust Wallet (1M users) includes a fiat ramps API key, enabling spoofed cryptocurrency transactions or quote manipulation—particularly dangerous in financial contexts.
Antidote Connector (1M users) and over 90 other extensions using the InboxSDK library expose Google API keys for Gmail-related operations, risking user data exposure or abuse through spammed API calls.
Even seemingly benign services like Watch2Gether (1M users) leaked a Tenor GIF API key, demonstrating that the abuse potential extends to all areas where key-based usage is metered or logged.
Plaintext HTTP
In the second report, Symantec highlights a parallel problem: unencrypted HTTP communications that expose sensitive user data to network-based attackers. This includes domain names, OS details, machine IDs, and uninstall telemetry, all transmitted in plaintext.
SEMRush Rank (30K users) and PI Rank (unknown user base) send the user’s currently visited domain to rank.trellian.com over HTTP, revealing browsing activity to anyone on the same network.
Browsec VPN (6M+ users) sets an HTTP-based uninstall URL and communicates with multiple insecure third-party HTTP endpoints, severely undermining the privacy claims of a VPN product.
MSN New Tab (500K users) and MSN Homepage (10K users) transmit a stable machine ID, OS, and version info via unencrypted pings, enabling long-term user tracking and cross-session profiling.
DualSafe Password Manager (300K users) sends analytics, including browser language and version, to an HTTP endpoint. While no credentials were leaked, the use of insecure telemetry by a password manager raises serious trust concerns.
In all these cases, attackers using common Man-in-the-Middle (MITM) techniques, such as operating a rogue Wi-Fi hotspot, could intercept or manipulate traffic without the user’s awareness.
Many of the affected extensions are marketed around trust: antivirus vendors, privacy tools, password managers, and productivity apps serving schools or businesses. The presence of such basic security flaws reveals systemic problems in how browser extensions are developed, reviewed, and distributed.
Symantec’s research underscores that a high install count does not guarantee secure engineering practices. Some developers, like those behind Watch2Gether and DualSafe, have patched their extensions following responsible disclosure. Others may still be vulnerable.
Leave a Reply