Cybersecurity researchers have flagged several popular Google Chrome extensions known to send data over HTTP and send hardcode secrets in code, putting users at privacy and security risks.
“Several widely used extensions […] Yuanjing Guo, a security researcher with Symantec’s Security Technology and Response Team, unintentionally transmits communicable data over simple HTTP.
The fact that network traffic is not encrypted means they are susceptible to intermediate (AITM) attacks, allowing malicious actors on the same network, such as public Wi-Fi, to intercept and, worse still, to modify this data.
A list of identified extensions can be found below –
semrush rank (extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and pi rank (id: ccgdboldgdlngcgfdolahmiilojmfndl).[.]com “over plain http browsec vpn (id:omghfjlpggmjaagoclmmobgdodcjboh). Use http to call the uninstall URL for “browsec-uninstall.s3-website.eu-central-1.amazonaws” in “browsec-uninstall.s3-website.eu-central-1.amazonaws”[.]com “If a user attempts to uninstall the extension MSN new tab (ID: LKLFBKDIGIHJAAEAMNCIBECHHGALLDGL) and the MSN homepage, Bing Search & News (ID: MidiombanaceofJhodpdibeppmnamfcj), submit a unique machine identifier and other details[.]com “Dualsafe Password Manager & Digital Vault (ID: LGBJHDKJMPGJGGCBCDLHKOKKPJMEDGC).[.]com “Along with information about extensions, user browser language, and usage “type”
“While the credentials and passwords don’t appear to be leaked, the fact that the password manager uses unencrypted requests for telemetry erodes trust with an overall security attitude,” Guo said.
Symantec also identified another extension using API keys, secrets and tokens embedded directly in JavaScript code.
Online Security and Privacy Extension (ID: gomekmidlodglbbbmalcneegieAcbdmki), AVG Online Security (ID: nbmoafcmbajniiapeidgficgifbfmjfo), Speed Dial [FVD] – New tab page, 3D, Sync (ID: llaficoajainaijghjlofdfmbjpebpa), and sellerspritite -amazon Research Tool (id: lnbmbgonenhhdojdielgnmeflbnfb), sellersprite -amazon Research (id: lnbmbgenenhhdojdielgnmeflbnfb). metric
equitio – Mathematics has been created digitally (ID: HJNGOLEFDPDNOOAMGDLKJGMDCMCJNC).
Amazing Screen Recorder & Screenshots (ID: nlipoenfbbikpbjkfpfilcgkoblgpmj) and Scroll Scroll Screenshot Tool and Screen Capture (ID: MFPIAEHGJBBFEDNOOIHADALHEHEHEHABHCJO).
Microsoft Editor – Spelling & Grammar Checker (ID: GPAIOBKFHNONEDKHHFJPMHDALGEOEBFA).
It includes an antidote connector (ID: LMBOPDIIKKAMFHGCCKCKCJHOJNOKGFEO) that incorporates a third-party library called InboxSDK that contains hard-coded credentials, including Api Keys.
watch2gether (id:cimpffimgeipdhnhjohpbehjkcdpjolg) expose tenor gif search API key
The Trust Wallet (ID:egjidjbpglichdcondbcbdnbeeppgdph) exposes wallet developers an API key associated with the RAMP network, a web3 platform that allows users to buy and sell Crypto directly from the app.
TravelArrow – Virtual Travel Agent (ID: COPLMFNPHAHPCKNBCHEHDIKBDIEONN), “Geolocation API key is published when creating a query to IP-API[.]com “
Attackers who end up finding these keys can equip them with weapons to reduce API costs, host illegal content, send spoofed telemetry data, and mimic cryptocurrency trading orders.
In addition to concerns, the Antidote Connector is just one of over 90 extensions that use the InboxSDK. This means that other extensions are more susceptible to the same problem. The names of other extensions have not been disclosed by Symantec.
“From Ga4 Analytics secrets to Azure Speech Keys and AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can put an entire service at risk,” says Guo. “Solution: Do not store client-side sensitive credentials.”
Developers recommend switching to HTTPS every time they send or receive data, and using Credential Management Services to securely store credentials on the backend server, rotating secrets regularly to further minimize risk.
The findings show how even popular extensions with hundreds of thousands of installations suffer from minor misunderstandings and security failures like hardcoded credentials, putting user data at risk.
“Users of these extensions should consider removing them until the developer deals with their worries. [HTTP] “The company said,” the risk is not theoretical. Unencrypted traffic is easy to capture and data can be used for profiling, phishing, or other target attacks. ”
“The comprehensive lesson is that large install bases or well-known brands don’t necessarily guarantee best practices regarding encryption. You need to scrutinize your extensions for the protocols and shared data you use to ensure that your information remains truly secure.”
Source link
