Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials

from The Hacker News 2 days ago

Recent cybersecurity research has uncovered multiple popular Google Chrome extensions that transmit sensitive user data via unencrypted HTTP. This practice makes users susceptible to various security risks, including adversary-in-the-middle (AitM) attacks, where malicious actors can intercept and manipulate data. Specific offending extensions like SEMRush Rank, Browsec VPN, and DualSafe Password Manager were highlighted for their insecure coding practices. The findings raise concerns over user privacy, especially when extensions designed for security, like password managers, fail to protect user data appropriately.

"Although credentials or passwords do not appear to be leaked, the fact that a password manager uses unencrypted requests for telemetry erodes trust in its overall security measure."

"Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP. By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext."

Read at The Hacker News

#cybersecurity #data-privacy #chrome-extensions #security-risks #user-safety

Collection

[

...

]

Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded CredentialsPopular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials Briefly

Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials
Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials
Briefly