Cybersecurity researchers have indicated several popular Google Chrome extensions that were found to transfer data to HTTP and the secrets of the tough code in their code, exposing users to privacy and security risks.
“Several widely used extensions (…) unintended sensitive data on simple http”, Yuanzhin Ga, a security researcher in the Symantec security and response team ,, – Note. “By doing this, they expose domains, machine identifiers, operating system details, analytics and even deleting information in open texts.”
The fact that network traffic is not encrypted means that they are sensitive to enemy attacks on average (AITM), which allows malicious subjects in the same network as public Wi-Fi, intercepted and worse, change this data, which can lead to much more serious consequences.
The list of detected extensions is given below –
- Rank semrush (IDBHOEAIOIOKCOJCGAPFIFHPKJGMAB) and PI rank (ID: CCGDBODGDLNGFDolahmiilojmfndl), called URL “Rank.trellian (.) COM” over simple http
- Browsec VPN (ID: OMGHFJLPGGMJAAGAGACLMMOBGDODCJBOH), which uses HTTP to call the URL “Browsec-Uninstall.s3-website.eu-ceentral-1.amazonaws (
- MSN NEW TAB (ID: lklfbkdigihaaayamncibechldgl) and MSN Hompage, Bing Search & NEWS (ID: Midiombanaceofjhodpdibepmnamfc
- Dualsafe Password Manager & Digital Vault (ID: LGBJHDKJMPGJGCBCDLHKOKKKPJMEDGC), which creates a URL -based HTTP for “Stat.itopupdate (.) Com” together with the expansion version, the user’s and type “type” type “type” “type” “type” “type” type “type” type “type” type “type” type.
“Although accounts and passwords do not seem to be traced, the fact that the password manager uses unprocessed telemetry requests blurred the trust in its total security posture,” Gai said.
Symantec also said it definite Another set of extensions with API keys, secrets and tokens directly built into the JavaScript code, which the attacker can arm themselves to make malicious requests and carry out various malicious action –
-
Online Security and Privacy (ID: Gomekmidglbbmalcnegieacbdmki), AVG Internet -Security (ID: NBMOAFCMBAJNIAPEIDGFIMJFO), SPEED Dial (FVD) LNBMBGOCENHHHDOJDIELGNMEFLBNFB), which exposes the tough encoding
-
Equatio – Math Mate Digital (ID: Hjngolefdpdpdnooamgdlkjmdcjnc), which built the Microsoft Azure API key used to recognize the speech that the attacker can use to inflate the cost of the developer or exhaust their limitation
-
Awesome Screen Recorder & Screenshot (ID: Nlipoenfbikpbikpbjkfillcgkoblgpmj) and scrolling screensot tool & Screen Capture (ID: MFPIAEHGJBBFEDNOOIHADALHABHCJO) Developer’s Amazon Web Services (AWS) Access Key used to upload screenshots to the Developer’s S3 Bucket
-
Microsoft Editor – Spelling and Grammar (ID: GPAIBKFHNONEDKHHFJPMHDALGEBFA), which exposes the telemetry key called “Statsapikey” to enter users’ data for analytics for analytics
-
Connector Connector (ID: lmbopdiikamfphhggkckjhojnokgfeo), which includes a third library called Inboxsdk containing credentials, including API keys.
-
Watch2gether (ID: CIMPFFFFIMGEIPDHNHJOHPBEHJKCDPJOLG, which exposes the API Tenor GIF key
-
Wallet trust
-
Travelrrow-Wash Virtual Travagent (ID: Coplmfnphacknbcchdikbdiegnn), which exposes the API Geolocation key when performing requests in “IP-API” Com “Com”
The attackers who ultimately discovered these keys can equip them to increase the costs of API, the unlawful content, send data cheat with telemetry and facial mimic orders for cryptocurrencies, some of which could have noticed the ban on the developer.
Adding to concern, the antidote connector is just one of the more than 90 extensions that use Inboxsdk, which means that other extensions are sensitive to the same problem. The names of other extensions did not reveal Symantec.
“From the secrets of Analytics GA4 to Azure speech keys, as well as from the AWS S3 credentials to the tokens characteristic of Google, each of these fragments demonstrates how several lines of code can endure the entire service,” Gu said. “Solution: Never save sensitive credentials on the client’s side.”
Developers are advised to switch to HTTPS when they send or receive data, keep the accounting credentials on the safe beakered server using the account management service and regularly turn secrets to minimize the risk.
The findings show how even popular extensions with hundreds of thousands of installations can suffer from trivial errors and disadvantages of safety, similar to solid credentials, leaving users at risk.
“Users of these extensions should consider removing them until the developers turn to uncertain (HTTP),” the company said. “The risk is not only theoretical; the uniform traffic is easy to capture, and the data can be used to profiling, phishing or other target attacks.”
“The lessons of the lesson is that a large installation base or a well -known brand does not necessarily provide the best practices around encryption. The extension must be studied for the protocols they use, and the data they share to ensure that user information remains really safe.”