Chrome extensions transmit sensitive data over HTTP, leak API keys

Many users assume that popular Google Chrome extensions have strong security, but recent findings from Symantec show that several widely used extensions can transmit sensitive data over unencrypted HTTP and have hardcoded API keys that make them open to attackers.  

In doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information in plaintext. Because the traffic is unencrypted, a man-in-the-middle (MiTM) attacker on the same network can intercept and, in some cases, even modify this data, leading to far more dangerous scenarios.

“The overarching lesson is that a large install base or a well-known brand does not necessarily ensure best practices around encryption,” wrote Symantec researchers in a June 5 blog. “Extensions should be scrutinized for the protocols they use and the data they share, to ensure users’ information remains truly safe.”

Symantec’s research team added that this unencrypted traffic is accessible to anyone performing a MiTM attack, allowing them not only to collect, but also to potentially manipulate this data. The researchers said users of these extensions should consider removing them until the developers address the insecure calls.

“The risk is not just theoretical: unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks,” wrote the researchers. “Developers, for their part, should switch to HTTPS whenever they send or receive data, especially if the purpose of their extension is to protect user privacy or provide security-related features.”

Eric Schwake, director of cybersecurity strategy at Salt Security, added that the emergence of widely used Google Chrome extensions that leak API keys and transmit data without encryption through HTTP poses a serious and complex threat.

Schwake said the lack of encryption for sensitive information, such as browsing domains and machine IDs, significantly endangers user privacy, making them susceptible to man-in-the-middle attacks, where malicious entities can intercept or modify data.

“Hard-coding API keys and secrets directly into JavaScript makes these credentials easily accessible to attackers,” said Schwake. “They can exploit these keys maliciously, including inflating API costs, hosting illicit content, or replicating sensitive transactions, such as cryptocurrency orders.”

Companies need to adopt a foundational strategy for managing their digital presence to secure Google Chrome environments, said Schwake. Initially, they should implement stringent policies for approved browser extensions and ensure thorough vetting, emphasizing secure communication and credential management.

Furthermore, Schwake said teams must enforce secure coding practices for any internal extensions or applications to ensure API communications are encrypted using HTTPS and strictly prevent hard-coding API keys or sensitive tokens in client-side code.