A recent investigation has uncovered that numerous popular Google Chrome extensions are leaking sensitive user data over unencrypted HTTP connections, potentially putting millions of users at significant risk regarding privacy and security. The findings, released by cybersecurity experts and detailed in a blog post by Symantec, highlight alarming practices involving several extensions, including:
PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl),
Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh),
MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl),
SEMRush Rank (ID: idbhoeaiokcojcgappfigpifhpkjgmab),
DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc).
Additional extensions also exhibit problematic behaviors that could expose user data to eavesdropping and profiling attacks.
Extensions Promising Privacy Are Falling Short
While these extensions are purportedly designed to assist users with website rankings, password management, and improved browsing experiences, the underlying operations involve insecure network requests. These requests transmit data without encryption, allowing anyone within the same network to intercept the information being sent. Such data could include visited domain URLs, operating system details, unique machine identifiers, and telemetry data.
More concerning, several of these extensions were discovered to contain hardcoded API keys, secrets, and tokens in their source code, exposing a critical security vulnerability easily exploitable by attackers.
Significant Risks on Public Networks
The implications of these findings are particularly troubling in environments such as public Wi-Fi networks, where data transmitted over HTTP can be intercepted easily by malicious actors. The unencrypted nature of this transmission allows for potential data tampering during its transit. As noted in Symantec’s analysis, the popular privacy-oriented extension Browsec VPN, which boasts a user base exceeding six million, improperly utilized an HTTP endpoint during uninstallation, transmitting user identifiers and usage statistics without any encryption.
Pervasive Data Leaks Identified
Other extensions, including SEMRush Rank and PI Rank, also have been implicated in similar vulnerabilities, sending full URLs of visited sites via HTTP to external servers. This practice facilitates the construction of comprehensive logs detailing users’ online habits by network observers. Furthermore, the MSN New Tab and MSN Homepage extensions communicate machine IDs and device information that remain consistent over time, which could assist hostile entities in profiling users across multiple sessions.
Even the DualSafe Password Manager, which is tasked with handling sensitive user credentials, has exhibited vulnerabilities by transmitting telemetry data over unencrypted channels. Although no password leaks have occurred, the use of unencrypted traffic raises serious concerns regarding the overall design and security integrity of the extension.
Patrick Tiquet, Vice President of Security & Architecture at Keeper Security, commented on the situation, emphasizing that the incident underscores significant weaknesses in extension security. He warned that even well-regarded Chrome extensions pose risks to users if developers neglect proper security practices. Tiquet stressed the importance of strict controls over browser extension usage and the need for organizations to manage sensitive data securely while monitoring for unusual behavior on endpoints.
Threats to Privacy and Data Security
While none of the examined extensions were found to leak passwords or financial information directly, the exposure of machine identifiers, browsing patterns, and telemetry is not inconsequential. Such data can be leveraged by attackers for tracking users, orchestrating targeted phishing campaigns, or impersonating telemetry data for malicious ends. Compounding these risks, a recent report by NordVPN identified over 94 billion browser cookies on the dark web, heightening the danger when combined with the data vulnerabilities disclosed by Symantec.
The inclusion of hardcoded API keys or secrets in extensions substantially amplifies these risks. If compromised, such credentials could allow attackers to impersonate legitimate extensions, submit counterfeit data, or inflate service usage, potentially leading to financial penalties or account suspensions for developers.
Recommended Actions for Users
Symantec has reached out to the developers of the affected extensions, and only DualSafe Password Manager has provided a resolution to the identified vulnerabilities. In light of this, users are urged to remove any such extensions until patches are available. It is essential for users to approach even the most popular and highly-rated extensions with caution, examining the permissions requested and avoiding those from unknown publishers. Employing a trusted security solution is advisable, as any tool claiming to offer privacy or security must be scrutinized regarding its data handling practices.
