A number of popular Google Chrome extensions are transmitting sensitive data in the clear over HTTP and contain hard-coded API keys, posing serious privacy and security risks to millions of users.
Symantec analysts have found that some of the most popular Chrome browser extensions are transmitting personal information — such as device IDs, domains, operating systems, uninstall statistics, and more — in unencrypted HTTP traffic. This makes them vulnerable to man-in-the-middle (AitM) attacks, especially on public Wi-Fi networks.
Extensions of concern include:
Many of these keys can be used to spoof telemetry, inflate cloud service costs, or even forge crypto transactions. Some extensions, like the Antidote Connector, use third-party libraries with encrypted credentials—more than 90 of them have been discovered.
The problem of improper secret storage in browser extensions has been around for years, but its widespread use, especially among non-professional users, makes it particularly dangerous. Popularity is no guarantee of security—even for big brands, as Microsoft Editor shows.
Symantec recommends removing vulnerable extensions immediately before updates are released. Developers should migrate to HTTPS entirely, store keys only on secure backends, and change them regularly. Users should carefully vet extensions that have access to data and not rely on their popularity as a guarantee of security.
