Cybersecurity researchers at Symantec have uncovered serious security vulnerabilities in widely-used Google Chrome extensions that expose sensitive user data to potential cyberattacks. The investigation revealed two primary security flaws: unencrypted HTTP data transmission and hardcoded secret keys embedded directly within extension code, affecting millions of users worldwide.
Primary Vulnerability Categories Identified
The research team identified two critical threat vectors compromising user security across popular Chrome extensions. The first vulnerability involves transmitting confidential information through unencrypted HTTP connections, making sensitive data vulnerable to interception by malicious actors.
Transmitted data includes domain names, unique device identifiers, operating system information, usage statistics, and uninstallation procedure data. The absence of encryption creates optimal conditions for man-in-the-middle attacks, enabling cybercriminals to both intercept and modify transmitted information during transit.
Specific Examples of Vulnerable Extensions
Symantec’s investigation highlighted specific extensions with critical security deficiencies. Particular attention was given to DualSafe Password Manager & Digital Vault, a password management tool that utilizes unencrypted requests for transmitting telemetry data.
While direct password leakage doesn’t occur, the implementation of insecure data transmission methods in a product designed to protect confidential information raises significant concerns about the overall security architecture’s reliability.
Hardcoded Secret Storage Problem
The second threat category involves storing API keys, access tokens, and other confidential credentials directly within extension source code. Security experts discovered over 90 extensions utilizing InboxSDK, including Antidote Connector, containing similar vulnerabilities.
Compromised secrets included Google Analytics 4 keys, Azure credentials, AWS S3 tokens, and various Google API keys. Cybercriminals can exploit these exposed credentials to generate malicious requests and execute fraudulent operations while impersonating legitimate services.
Mitigation Strategies and Security Recommendations
Extension developers must prioritize transitioning to HTTPS protocol for all data transmission types. Confidential credentials should be stored exclusively on secure server-side systems rather than within client-side code implementations.
Regular rotation of secret keys and access tokens helps minimize potential damage during security breaches. Implementing secure development principles should become standard practice when creating browser extensions, incorporating security considerations throughout the development lifecycle.
User Protection Guidelines
Users are advised to temporarily remove identified vulnerable extensions until developers address the security issues. High ratings and extension popularity don’t guarantee compliance with modern cybersecurity standards, making due diligence essential when selecting browser add-ons.
These identified threats aren’t theoretical concerns—unencrypted traffic is easily intercepted on public Wi-Fi networks, corporate environments, and other potentially compromised network infrastructures. Captured data can facilitate user profiling, phishing campaigns, and targeted social engineering attacks.
This research emphasizes the critical importance of implementing comprehensive security approaches for browser extension development. Developers must integrate security principles throughout the product creation process, while users should exercise informed decision-making when selecting browser extensions, prioritizing solutions from verified developers with transparent security policies and regular security audits.
