• 2368 Maritime Dr Unit 250, Elk Grove, CA 95758, United States
  • Mon – Fri: 7:00AM – 7:00PM
  • contactus@bpsemail.com
Follow Us On:
Facebook-f Instagram Linkedin-in Pinterest
  • Home
  • Cyber Security
  • Popular Chrome Extensions Leak API Keys and User Data: What You Need to Know
Chrome extensions leaking API keys

Popular Chrome Extensions Leak API Keys and User Data: What You Need to Know

48 Views

Are Your Chrome Extensions Spying on You? Here’s What You Should Know

A recent investigation has uncovered that some of the most popular Google Chrome extensions are putting users at risk by leaking API keys and transmitting sensitive data over unencrypted HTTP connections. This security lapse could expose millions of users to privacy breaches and potential cyberattacks.

Extensions Sending Data Over Unencrypted HTTP

Using HTTP instead of HTTPS opens the door for attackers to intercept data through adversary-in-the-middle (AitM) attacks. These attacks are especially dangerous on public networks where malicious actors can eavesdrop on unprotected data streams, some potentially leaking API keys.

Some of the extensions flagged for this issue include:

  • SEMRush Rank and PI Rank – Communicate with rank.trellian.com over HTTP.
  • Browsec VPN – Sends data to an Amazon S3 server using HTTP upon uninstallation.
  • MSN New Tab and MSN Homepage, Bing Search & News – Transmit unique machine identifiers over HTTP.
  • DualSafe Password Manager – Shares usage data with a third-party server via HTTP.

Extensions with Hard-Coded API Keys

Hard-coded API keys embedded in the extension’s code can be harvested and misused by attackers. These keys leaking can allow unauthorized access to services like Google Analytics, Microsoft Azure, AWS, and more.

The affected extensions include:

  • AVG Online Security and Speed Dial [FVD] – Contain embedded Google Analytics API secrets.
  • Equatio – Math Made Digital – Exposes a Microsoft Azure API key.
  • Awesome Screen Recorder – Reveals AWS access keys.
  • Microsoft Editor – Contains a telemetry key.
  • Antidote Connector and Watch2Gether – Leak other sensitive API credentials.

What This Means for You

When browser extensions leak API keys and send unencrypted data, your privacy and data security are at serious risk. Not only can attackers monitor your online behavior, but they can also manipulate services that rely on those API keys, causing financial or reputational harm to both developers and users.

How to Protect Yourself

  • Audit Your Extensions: Regularly review and remove unnecessary or suspicious extensions.
  • Check Permissions: Only grant the permissions that are essential to an extension’s function.
  • Update Often: Ensure all your extensions are up-to-date with the latest security patches.
  • Use HTTPS Monitoring Tools: Browser add-ons like HTTPS Everywhere can help detect unsecure data transmission.
  • Avoid Public Wi-Fi: When handling sensitive information, stick to secure, private networks.

Final Thoughts

Extensions are powerful tools that can enhance your browsing experience, but they also come with risks. Stay informed, remain cautious, and regularly review the tools you trust in your browser to avoid the risks associated with Chrome extensions leaking API keys.

For a detailed breakdown of the original report, visit The Hacker News article.

Leave A Comment

Your email address will not be published. Required fields are marked *