Security Concerns Surrounding Popular Google Chrome Extensions
Published: June 5, 2025 | Author: Ravie Lakshmanan
Categories: Browser Security / Online Safety
Introduction to the Risks
Cybersecurity experts have raised alarms about numerous widely used Google Chrome extensions that pose significant privacy and security threats. Many of these extensions are sending data over unencrypted HTTP, which can make user information vulnerable to interception.
Unencrypted Data Transmission
Yuanjing Guo, a security researcher from Symantec’s Security Technology and Response team, emphasizes the issue: "Several widely used extensions […] unintentionally transmit sensitive data over simple HTTP." This exposes a variety of information, such as browsing domains, machine IDs, details about the operating system, and usage analytics—all in plaintext.
The absence of encryption not only compromises user privacy but also opens the door to potential adversary-in-the-middle (AitM) attacks. These attacks can occur on public networks, allowing malicious individuals to intercept and modify this sensitive data. The consequences of these vulnerabilities could be severe and far-reaching.
Identified Vulnerable Extensions
A list of problematic extensions has been discovered, revealing the specific risks associated with each.
-
SEMRush Rank (ID: idbhoeaiokcojcgappfigpifhpkjgmab) and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl): Both extensions make calls to "rank.trellian[.]com" over plain HTTP.
-
Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh): This extension uses HTTP when calling an uninstallation URL, potentially exposing user information during the removal process.
-
MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) and MSN Homepage, Bing Search & News (ID: midiombanaceofjhodpdibeppmnamfcj): These transmit unique machine identifiers and other sensitive info to "g.ceipmsn[.]com" using HTTP.
- DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc): This extension makes HTTP requests carrying details about the user’s browser language and extension version.
Although it appears no credentials or passwords are leaked, Guo points out that the use of unencrypted requests significantly undermines the credibility of password managers regarding their security protocols.
Hard-Coded Secrets in Extensions
In addition to the insecure data transmissions, Symantec has identified a troubling trend where certain extensions contain hard-coded API keys and tokens within their JavaScript code. This poses an additional layer of vulnerability, as these keys could be exploited by attackers for malicious purposes.
Examples include:
-
Online Security & Privacy (ID: gomekmidlodglbbmalcneegieacbdmki) and other extensions that expose a Google Analytics 4 (GA4) API secret, potentially allowing attackers to corrupt data metrics.
-
Equatio – Math Made Digital (ID: hjngolefdpdnooamgdldlkjgmdcmcjnc): This extension embeds a Microsoft Azure API key useful for speech recognition, which malicious actors could exploit.
-
Awesome Screen Recorder & Screenshot (ID: nlipoenfbbikpbjkfpfillcgkoblgpmj): This tool exposes an Amazon Web Services (AWS) access key, risking unauthorized uploads to the developer’s account.
- Microsoft Editor (ID: gpaiobkfhnonedkhhfjpmhdalgeoebfa): This extension shows a telemetry key that logs user data, raising further privacy concerns.
These vulnerabilities highlight just how easily a few lines of improperly protected code can threaten the integrity of an entire service.
Recommendations for Developers
Experts like Guo stress that developers must adopt best practices to safeguard user data. He recommends transitioning to HTTPS for data transmission, securely managing credentials on a backend server, and regularly updating secrets to minimize security risks.
The findings indicate that popular extensions, even those boasting hundreds of thousands of installations, can suffer from seemingly minor security oversights that place user data in jeopardy.
Conclusion: Awareness and Vigilance
Users should exercise caution regarding these extensions and consider removing them until the developers can fix the insecure HTTP calls. As many users gravitate toward familiar brands, it’s crucial to remain vigilant. High Installation numbers do not necessarily equate to robust security practices.
The overarching takeaway is clear: users must scrutinize the encryption protocols and data-sharing practices of the tools they use. Only then can they ensure their information remains secure and private.
Interested in learning more about online safety? Follow us on Twitter and LinkedIn for more insights and updates.
