Cybersecurity experts have raised alarms regarding several widely used Google Chrome extensions that have been found to expose sensitive user data through unencrypted HTTP transmissions. A recent investigation revealed that these extensions are transmitting details such as browsing domains, machine IDs, operating system information, and usage analytics over insecure channels. According to Yuanjing Guo, a security researcher at Symantec’s Security Technology and Response team, this lack of encryption poses significant privacy risks for users.
Among the extensions identified in the study are SEMRush Rank and PI Rank, both calling URLs over plaintext HTTP, which can easily be intercepted by malicious actors. Additionally, Browsec VPN has been flagged for using HTTP to call an uninstall URL when users attempt to remove the extension. Other notable extensions like MSN New Tab and DualSafe Password Manager have also been implicated, raising concerns about user security and data protection.
In addition to HTTP transmission vulnerabilities, researchers have pointed out that several extensions have hard-coded secrets embedded within their JavaScript code. Extensions such as Online Security & Privacy and AVG Online Security expose critical API secrets that, if exploited, could lead to malicious activities and financial losses for developers. Notably, the Equatio extension was found to have a Microsoft Azure API key exposed, while various tools disclosed access keys for services such as Amazon Web Services and Google Analytics.
Experts advise users to remove these vulnerable extensions until developers address these critical security issues. Guo emphasized that developers should adopt best practices by transitioning to HTTPS, securely storing sensitive credentials in backend servers, and rotating secrets regularly to minimize risk. This incident serves as a reminder that popularity does not guarantee security, and market presence should not compensate for a lack of proper encryption practices.