Full Report
Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks. "Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantec's Security Technology and Response
Analysis Summary
This summary is based on the context provided, which details multiple security misconfigurations across numerous popular Google Chrome extensions, primarily involving unencrypted data transmission (HTTP) and hard-coded secrets. No specific CVEs were assigned in the provided text.
# Vulnerability: Multiple Chrome Extensions Exposing Data via HTTP and Hard-Coded Secrets
## CVE Details
- CVE ID: None publicly provided in the source material.
- CVSS Score: Not explicitly provided, but the risk is high due to data exposure and potential AitM attacks.
- CWE: CWE-319 (Cleartext Transmission of Sensitive Information), CWE-798 (Use of Hard-coded Credentials)
## Affected Systems
- Products: Several popular Google Chrome Extensions.
- Versions: Not specified, assumed to be the versions existing at the time of the report (June 2025).
- Configurations: Any configuration where the extensions are installed and communicating with external endpoints over HTTP or where embedded secrets are accessed.
## Vulnerability Description
Security researchers found multiple popular Chrome extensions transmitting sensitive user data (browsing domains, machine IDs, OS details, usage analytics) in plaintext over unencrypted HTTP connections, making them susceptible to Adversary-in-the-Middle (AitM) attacks on local networks.
Additionally, a separate class of vulnerabilities involves developers hard-coding sensitive secrets (API keys, tokens, credentials) directly into the client-side JavaScript code. These secrets include Google Analytics 4 (GA4) API secrets, Microsoft Azure API keys for speech recognition, AWS access keys for S3 uploads, Tenor GIF API keys, and credentials related to Web3 platforms (Ramp Network).
## Exploitation
- Status: Findings suggest the issues are configuration flaws; public exploitation status is unknown, but PoCs are highly plausible given the nature of the flaws (hard-coded keys are instantly weaponizable).
- Complexity: Low (for intercepting HTTP traffic); Low (for exploiting hard-coded keys).
- Attack Vector: Network (for AitM interception); Code Access/Network (for utilizing hard-coded secrets).
## Impact
- Confidentiality: High (Sensitive user data, machine IDs, browsing domains transmitted insecurely).
- Integrity: Medium (AitM attacks could allow data modification; weaponized API keys could allow spoofed data submission or service abuse).
- Availability: Low to Medium (Potential for developers to incur excessive API costs or have services suspended due to misuse of stolen keys).
## Remediation
### Patches
Developers must update the extensions to address the disclosed issues. Specific patch versions are not detailed in this summary, but required actions include:
1. Switch all data transmission to use **HTTPS**.
2. **Remove all hard-coded secrets/credentials** from client-side code and migrate them to secure backend servers using credential management services.
3. **Regularly rotate** any exposed secrets immediately.
### Workarounds
Users of affected extensions should **consider removing them immediately** until developers provide updates addressing the insecure HTTP calls.
## Detection
- Indicators of Compromise: Network traffic analysis showing communication with the listed domains over TCP port 80 (HTTP).
- Detection Methods and Tools: Network monitoring tools (e.g., Wireshark, proxy tools) configured to inspect outbound connections from the browser. Static analysis tools can scan extension source code for common API key patterns or hard-coded credentials.
## References
- Vendor advisories: Not explicitly detailed, but Symantec researchers uncovered the issues.
- Relevant links - defanged:
- Symantec Report (Data Leak): hxxps://www[.]security[.]com/threat-intelligence/chrome-extension-leaks
- Symantec Report (Credentials): hxxps://www[.]security[.]com/threat-intelligence/chrome-extension-credentials