Chrome Extensions Leaking Your Data

Chrome Extensions Are Leaking Your Data – and the Keys to the Kingdom

Symantec researchers found that dozens of popular Chrome extensions—some with hundreds of thousands of installs—send telemetry over unencrypted HTTP and even hard-code API keys (Google Analytics, Azure, AWS, Tenor, crypto services) directly in their JavaScript. Examples include SEMRush Rank, Browsec VPN, MSN New Tab, DualSafe Password Manager, AVG Online Security, Trust Wallet and many more. Because traffic is not encrypted, anyone on the same network could sniff or tamper with data, while exposed API secrets let attackers spoof analytics, rack up cloud bills or abuse crypto-wallet functions. Users are urged to uninstall affected add-ons until patched; developers should use HTTPS, move secrets server-side and rotate credentials.

Security specialists at Symantec have blown the whistle on a clutch of popular Google Chrome extensions that quietly undermine user privacy.

What did they find?• 184 million telemetry calls sent in plain text over old-fashioned HTTP.
• Hard-coded API keys for services such as Google Analytics 4, Microsoft Azure, AWS S3 and even crypto platform Ramp.
• Well-known names feature on the list: SEMRush Rank, Browsec VPN, MSN New Tab, DualSafe Password Manager, AVG Online Security and Trust Wallet.

Why is that dangerous?
Unencrypted traffic can be intercepted on any public Wi-Fi, letting criminals read or alter what’s sent. The leaked keys could also be abused to falsify web analytics, drain cloud accounts or fake cryptocurrency transactions.

Real-world examples
• Browsec VPN calls an uninstall URL over HTTP—handing would-be attackers a perfect interception point.
• DualSafe Password Manager sends usage stats without encryption—hardly confidence-boosting for a security product.
• Equatio – Math Made Digital includes an Azure speech-to-text key inside its code; Symantec warns the same mistake appears in more than 90 other extensions using a shared library.

Advice for users
1. Remove the affected add-ons until developers issue patches.
2. Stick to extensions that publish regular security updates.
3. Enable HTTPS-only mode in Chrome’s settings.

Advice for developers
• Use HTTPS for every call, even telemetry.
• Store credentials on the back-end—never in client-side JavaScript.
• Rotate keys and secrets on a schedule.
The takeaway is simple: a million-strong install base does not guarantee good practice. Scrutinise what your favourite browser helpers really send home.