Cyber security researchers have flagged off many popular Google Chrome extensions that have been found to transmit data in HTTP and transmit hard-codes in their code, highlight users to users for privacy and security risks.
“Many widely used extensions […] The security researcher in the Cementac’s security technology and response team, “Yuanjing Guo,” Unknowingly broadcast sensitive data on Yuanjing Guo, said. “By doing so, they expose browsing domains, machine IDs, operating systems details, use analysis, and even reluctant information.”
The fact that network traffic is unprotected, it also means that they are susceptible to anti-in-in-media (AITM) attacks, allowing malicious actors on the same network such as a public Wi-Fi to intercept to intercepted it and, worse, modify this data, which can lead to more serious consequences.
The list of identified extensions is below –
- Semarsh rank ,[.]Com “plain http on
- Browsec VPN (ID: OmghfjlpGGMJAGOGOLMOBGDODCJBOH), which uses http, which “browsec-uninstall.s3-s3-wesite.eu- central-1.Amazonaws calls an unintended URL.[.]com “When a user tries to uninstall the extension
- MSN new tab ,[.]com “
- Dualsafe password manager and digital vault ,[.]Com “Extension version,” Type “with information about user’s browser language and use
“Although credentials or password leaks appear to be seen, the fact that a password manager uses unnovated requests for the Telemetry Erode Trust in his overall security currency,” said.
Cementac stated that it identified another set of extensions with API keys, secrets and tokens, which is directly embedded in the JavaScript code, which can craft an attacker malicious requests and complete various malicious tasks –
- Online security and privacy expansion , [FVD] – New tab page, 3D, sink (ID: llaficoajjainaijighjhjhjapebpabpa), and sellersprit – Amazon Research Tool (ID: LnbmbgCenhhhhhhhhhhhhhhhhhhhhhhhhhhhhhodojdiLBNFB), which a hard -coded google analytice 4 (ga4) Exposes. Metrics
- Equatio – Mathematics made digital ,
- Excellent screen recorder and screenshot ,
- Microsoft Editor – Spelling and Grammar Checker ,
- Marak connector ,
- Watch2Gether ,
- Trust wallet ,
- Travelarrow -The your virtual travel agent (ID: coplmfnphahpcknchcehdinognn), which highlights a geolocation API key when creating a query for “IP-API”[.]com “
The attackers who discover these keys can pour them up to increase API costs, host illegal content, send spuged telemetry data, and mimic the orders of cryptocurrency transactions, some of which can be seen restricting the developer’s ban.
Adding anxiety, the antidot connector is one of the over 90 extensions that use inboxidDK, which means that other extensions are susceptible to the same problem. The names of other extensions were not revealed by Cementac.
Guo said, “From GA4 Analytics Secrets to Azure Speech Keys, and from AWS S3 credentials to Google-specific tokens, each of these shows the snipett of how some lines of the code can endanger the entire service,” Guo said. “Solution: Never store sensitive credentials on the customer side.”
Developers are recommended to switch to https. Whenever they send or receive data, stores credentials safely into the backynd server using a credentials management service, and rotate the mysteries to reduce the risk regularly.
Conclusions suggest that popular extensions with hundreds of installations can also suffer from hard-coded credentials such as trivial misunderstandings and safety blunders, leaving users’ data at risk.
“Users of these extensions should consider removing them until developers address unsafe [HTTP] Call, “the company said.” The risk is not only theoretical; Unnovated traffic is simple to capture, and data can be used for profileing, fishing, or other targeted attacks. ,
“Overraching lessons are that a large installed base or a famous brand does not necessarily ensure the best practices around the encryption. The extension should be investigated for the protocols that they use and the data they share, to ensure that users’ information is really safe.”
