Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials

Parkinsond

Parkinsond

Level 56
Thread author
Verified
Well-known
Dec 6, 2023
4,511
11,806
5,469
Content source
https://thehackernews.com/2025/06/popular-chrome-extensions-leak-api-keys.html
Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks.

The fact that the network traffic is unencrypted also means that they are susceptible to adversary-in-the-middle (AitM) attacks, allowing malicious actors on the same network such as a public Wi-Fi to intercept and, even worse, modify this data, which could lead to far more serious consequences.

The list of identified extensions includes Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh), which uses HTTP to call an uninstall URL at "browsec-uninstall.s3-website.eu-central-1.amazonaws[.]com" when a user attempts to uninstall the extension.
Click to expand...
 
Last edited:
  • Like
  • +Reputation
Reactions: Andy Ful, Khushal, anirbandutta01 and 6 others
you need to have verified extensions, like Mozilla do :

Add-on signing in Firefox | Firefox Help

Learn about add-on signing and what to do if an extension you want to use could not be verified for use in Firefox.
support.mozilla.org support.mozilla.org


but it's alright to have some that are unsigned like Internet Download Manager (i trust this developer since my childhood),
because Mozilla does also collect information of what you are downloading from the client side (it's the only way that you can prevent mozilla to see the header of what you are doing
from servers to your P.C

as proof :
Internet Download Manager: Privacy Policy (this is one of the only addon i have paid for using it).
2. IDM integration module add-ons and extensions "IDM integration module" extensions for Edge, Chrome, and FireFox based browsers does not collect any data or information, except for the following case when it collects data that is required to support IDM (Internet Download Manager) core functions : ""When a browser starts a download that is going to be saved as a file on your local disk, and not displayed in the browser, and the file type matches file types in "Options→File Types" IDM dialog, or when you start a download by using IDM pop-up menu or IDM download panel, then "IDM integration module" extensions for Edge, Chrome, and FireFox based browsers may collect only the data that is necessary to download this file in IDM from this particular web site. This data is necessary to start, or resume the download, or schedule this download in Internet Download Manager. The data may include URL, internet address, cookies, encrypted credentials, query parameters, post data, namely all the data that the browser sends to the server when requesting the file. This data is stored on your local computer until you delete this download from IDM list of downloads. To download a file, IDM re-sends the original download query made by your browser. IDM sends the data only to the server where the browser sent it to, IDM DOES NOT send this data to our servers, or any 3rd party servers.""


chrome don't sign third party extension, yeah that's a mistake.
that is why i don't use chrome, but all of these is not at the responsibility of chrome anymore :

Improve extension security | Chrome for Developers

The last of three sections describing changes needed for code that is not part of the extension service worker.
developer.chrome.com developer.chrome.com
 
  • Like
Reactions: Khushal, anirbandutta01 and Parkinsond
Fan-of-spyshelter said:
you need to have verified extensions, like Mozilla do :

Add-on signing in Firefox | Firefox Help

Learn about add-on signing and what to do if an extension you want to use could not be verified for use in Firefox.
support.mozilla.org support.mozilla.org


but it's alright to have some that are unsigned like Internet Download Manager (i trust this developer since my childhood),
because Mozilla does also collect information of what you are downloading from the client side (it's the only way that you can prevent mozilla to see the header of what you are doing
from servers to your P.C

as proof :
Internet Download Manager: Privacy Policy (this is one of the only addon i have paid for using it).
2. IDM integration module add-ons and extensions "IDM integration module" extensions for Edge, Chrome, and FireFox based browsers does not collect any data or information, except for the following case when it collects data that is required to support IDM (Internet Download Manager) core functions : ""When a browser starts a download that is going to be saved as a file on your local disk, and not displayed in the browser, and the file type matches file types in "Options→File Types" IDM dialog, or when you start a download by using IDM pop-up menu or IDM download panel, then "IDM integration module" extensions for Edge, Chrome, and FireFox based browsers may collect only the data that is necessary to download this file in IDM from this particular web site. This data is necessary to start, or resume the download, or schedule this download in Internet Download Manager. The data may include URL, internet address, cookies, encrypted credentials, query parameters, post data, namely all the data that the browser sends to the server when requesting the file. This data is stored on your local computer until you delete this download from IDM list of downloads. To download a file, IDM re-sends the original download query made by your browser. IDM sends the data only to the server where the browser sent it to, IDM DOES NOT send this data to our servers, or any 3rd party servers.""


chrome don't sign third party extension, yeah that's a mistake.
that is why i don't use chrome, but all of these is not at the responsibility of chrome anymore :

Improve extension security | Chrome for Developers

The last of three sections describing changes needed for code that is not part of the extension service worker.
developer.chrome.com developer.chrome.com
Click to expand...
I do not mind collecting data as a price for the provided "free" service.
I just avoid free services that may represent a security risk.
As a general rule, I follow where the majority of folk is going; do not like to use abandoned programs, they must have been abandoned for a reason.
 
  • Like
Reactions: Khushal, Jonny Quest, anirbandutta01 and 1 other person
Parkinsond said:
I do not mind collecting data as a price for the provided "free" service.
I just avoid free services that may represent a security risk.
As a general rule, I follow where the majority of folk is going; do not like to use abandoned programs, they must have been abandoned for a reason.
Click to expand...
But man,
in complementary of the topic,

You say you don't care about your privacy as long as your security isn't affected.
But what you're missing is this: a lack of privacy, could be a security risk.

👉 Take a look at the real-world consequences:
🔗 Securiti.ai Privacy Roundup – May 2025

Why do you think crypto analysts and reverse engineers are working together on the dark web?
Because they know that every piece of data — even encrypted — can be exploited.
Just because your messages are encrypted doesn't mean they're safe. High-end tools exist (far beyond the reach of everyday users) that can break or bypass encryption, especially when combined which other vulnerabilities.

And with flaws like:
🔗 CVE-2025-5025 – TLS 1.3 & QUIC weakened over public WiFi,
even the "safest" protocols are struggling under certain conditions,

don't think your private WiFi keeps you safe (only a DSL wtihout wifi activated)...
Cause many ISPs around the world silently share your home router with the public through "accommodation agreements"
— essentially turning your box into a public hotspot, without your consent. They call it a "WiFi booster for your private network from phones or laptops',
but in reality, it’s a backdoor you can’t configure or shut down if you don't have your own router.

And here's where it gets worse:
If someone connects through that shared network and their traffic is routed through a different mobile operator,
they can sniff and intercept traffic using tools like Wireshark — even on your home network.

Why? Because it’s not isolated behind a proper encrypted tunnel — they’re piggybacking directly off your DHCP lease.

Why do ISPs do this?
  • To control bandwidth usage, reason number 1 (because you have unlimited data)
  • To shift legal responsibility onto you, reason number 2 (to be legit in the eyes of authority)
  • And of course, for data collection, reason number 3 (that is how they make more money underground)
And if you read the fine print (EULA), you’ll often find that protocols like DNSsecC with (IPsec, FTPS ) over VPN, are blocked or throttled — because they interfere with monitoring and traffic shaping from your ISP provider (that is why the kill switch exist).

The only one protocol that actually resists this ISP setup well
is WireGuard –, fast and secure.

But again, not every VPN implements it right, which is a security hole in itself.
and i don't think you have such VPN on your WiFi-router or computer.

Also don’t confuse the default "WiFi boosters" on phones or laptops is something like Speedify.
Witch has been independently verified by the App Defense Alliance, MASA certified, and follows strict OWASP standards,
including regular security audits and strong encryption policies, routers who are rent to you, don't use this technology.
 
  • Like
Reactions: Khushal and Parkinsond
Fan-of-spyshelter said:
But man,
in complementary of the topic,

You say you don't care about your privacy as long as your security isn't affected.
But what you're missing is this: a lack of privacy, could be a security risk.

👉 Take a look at the real-world consequences:
🔗 Securiti.ai Privacy Roundup – May 2025

Why do you think crypto analysts and reverse engineers are working together on the dark web?
Because they know that every piece of data — even encrypted — can be exploited.
Just because your messages are encrypted doesn't mean they're safe. High-end tools exist (far beyond the reach of everyday users) that can break or bypass encryption, especially when combined which other vulnerabilities.

And with flaws like:
🔗 CVE-2025-5025 – TLS 1.3 & QUIC weakened over public WiFi,
even the "safest" protocols are struggling under certain conditions,

don't think your private WiFi keeps you safe (only a DSL wtihout wifi activated)...
Cause many ISPs around the world silently share your home router with the public through "accommodation agreements"
— essentially turning your box into a public hotspot, without your consent. They call it a "WiFi booster for your private network from phones or laptops',
but in reality, it’s a backdoor you can’t configure or shut down if you don't have your own router.

And here's where it gets worse:
If someone connects through that shared network and their traffic is routed through a different mobile operator,
they can sniff and intercept traffic using tools like Wireshark — even on your home network.

Why? Because it’s not isolated behind a proper encrypted tunnel — they’re piggybacking directly off your DHCP lease.

Why do ISPs do this?
  • To control bandwidth usage, reason number 1 (because you have unlimited data)
  • To shift legal responsibility onto you, reason number 2 (to be legit in the eyes of authority)
  • And of course, for data collection, reason number 3 (that is how they make more money underground)
And if you read the fine print (EULA), you’ll often find that protocols like DNSsecC with (IPsec, FTPS ) over VPN, are blocked or throttled — because they interfere with monitoring and traffic shaping from your ISP provider (that is why the kill switch exist).

The only one protocol that actually resists this ISP setup well
is WireGuard –, fast and secure.

But again, not every VPN implements it right, which is a security hole in itself.
and i don't think you have such VPN on your WiFi-router or computer.

Also don’t confuse the default "WiFi boosters" on phones or laptops is something like Speedify.
Witch has been independently verified by the App Defense Alliance, MASA certified, and follows strict OWASP standards,
including regular security audits and strong encryption policies, routers who are rent to you, don't use this technology.
Click to expand...
I rarely use WiFi; only cable ADSL.
The data I do not mind using it is browsing activity, not my passwords; they may use it to create customized ads.
 
  • Like
Reactions: Khushal
Parkinsond said:
I rarely use WiFi; only cable ADSL.
The data I do not mind using it is browsing activity, not my passwords; they may use it to create customized ads.
Click to expand...
You're missing a critical point.

About your passwords (i take the example of the autofill feature of lastpass chrome extension):
If you're not using a local vault, your credentials are not encrypted end-to-end from your browser to the destination server — even when you enter a master password to unlock access, and even if the website uses HTTPS with HSTS.

AND — if your router is offering public access to strangers through ISP agreements,
and you're not using a secure HIDDEN tunnel (like a WireGuard connection),
and someone launches a man-in-the-middle attack (which is possible on shared or ISP-leased routers with exposed DHCP),

Then yes — your traffic can be sniffed (your lastpass masterpassword).
Because, even without admin access to your router, someone on the same network can monitor your traffic using tools like Wireshark,
no matter what DNS provider you're using, DNSSEC only protects domain name resolution, preventing spoofing,
not the content you send or receive, mean it does not stop traffic interception.

Sure, there are on the market military-grade WiFi routers that offer advanced protection —
but they’re very expensive.


So here’s something free and useful instead and be more concerning in the mean time :
🔗 How to tell if someone hacked your router – Norton
 
  • Like
Reactions: Parkinsond
Fan-of-spyshelter said:
You're missing a critical point.

About your passwords (i take the example of the autofill feature of lastpass chrome extension):
If you're not using a local vault, your credentials are not encrypted end-to-end from your browser to the destination server — even when you enter a master password to unlock access, and even if the website uses HTTPS with HSTS.

AND — if your router is offering public access to strangers through ISP agreements,
and you're not using a secure HIDDEN tunnel (like a WireGuard connection),
and someone launches a man-in-the-middle attack (which is possible on shared or ISP-leased routers with exposed DHCP),

Then yes — your traffic can be sniffed (your lastpass masterpassword).
Because, even without admin access to your router, someone on the same network can monitor your traffic using tools like Wireshark,
no matter what DNS provider you're using, DNSSEC only protects domain name resolution, preventing spoofing,
not the content you send or receive, mean it does not stop traffic interception.

Sure, there are on the market military-grade WiFi routers that offer advanced protection —
but they’re very expensive.


So here’s something free and useful instead and be more concerning in the mean time :
🔗 How to tell if someone hacked your router – Norton
Click to expand...
Yes, I know.
I do not use online vault for this reason; only Keepassxc.
 
You must log in or register to reply here.

You may also like...