The Cyber Bulletin: Major data exposure discovered in widely used Chrome extensions

Last month, researchers from Symantec’s Security Technology and Response team revealed vulnerabilities in several widely used Chrome extensions, including SEMRush Rank, PI Rank, MSN New Tab/Homepage, DualSafe Password Manager, Browsec VPN, and others.

These extensions were found to perform network requests over unencrypted HTTP, transmitting sensitive user data - such as browsing domains, machine identifiers, operating system details, usage analytics, and uninstall information - in plaintext. This practice leaves users exposed to man‑in‑the‑middle attacks, especially on public Wi‑Fi networks, where attackers can intercept or even manipulate this data in transit.

Beyond unencrypted transmission, the investigation uncovered hard‑coded credentials embedded within some of these extensions’ source code. Notable examples included Avast Online Security & Privacy and AVG Online Security, with hard‑coded Google Analytics 4 API secrets visible in their JavaScript files. This oversight enables virtually anyone to extract these secrets and misappropriate them to generate analytics noise, run up resource usage fees, or manipulate cloud services - jeopardising both privacy and cost control.

The risk assessment made clear that even extensions marketed as tools for privacy or security were inadvertently acting as side‑channel data leaks. The HTTP transmissions meant for analytics or ranking purposes were exposing domain visits and internal system IDs, creating profiles that could be used for user profiling, correlation attacks, or targeted phishing campaigns.

The specific targeting of extensions like SEMRush and PI Rank, each with tens of thousands of users, demonstrates how even moderately popular extensions pose a significant scale of vulnerability.

The combination of hard‑coded keys and unencrypted data channels significantly escalates the threat. Encrypted protocols such as HTTPS must become default, particularly for extensions dealing with privacy or user analytics. Developers are urged to remove embedded API credentials from JavaScript code and instead manage authentication secrets securely, ideally using server‑side services or secure secret vaults.

This wave of findings illustrates the nature of common development oversights - leaving credentials hard‑coded, relying on unencrypted HTTP, and insufficient threat modelling. Simultaneously, this incident emphasises a systemic need for stronger secure development education and oversight in browser extension ecosystems.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).