A recent investigation has revealed that several widely used Google Chrome extensions are transmitting sensitive user data over unencrypted HTTP connections, exposing millions of users to serious privacy and security risks.
The findings, published by cybersecurity researchers and detailed in a blog post by Symantec, reveal how extensions such as:
PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl)
Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh)
MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl)
SEMRush Rank (ID: idbhoeaiokcojcgappfigpifhpkjgmab)
DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc)
There are other extensions as well that are handling user data in ways that open the door to eavesdropping, profiling, and other attacks.
Extensions That Promise Privacy Are Doing the Opposite
Although these extensions are legitimate and meant to help users monitor web rankings, manage passwords, or improve their browsing experience, behind the scenes, they are making network requests without encryption, allowing anyone on the same network to see exactly what’s being sent.
In some cases, this includes details like the domains a user visits, operating system information, unique machine IDs, and telemetry data. More troubling, several extensions were also found to have hardcoded API keys, secrets, and tokens inside their source code which is a piece of valuable information that attackers can easily exploit.
Real Risk on Public Networks
When extensions transmit data using HTTP rather than HTTPS, the information travels across the network in plaintext. On a public Wi-Fi network, for example, a malicious actor can intercept that data with little effort. Worse still, they can modify it mid-transit.
This opens the door to attacks that go far beyond spying. According to Symantec’s blog post, in the case of Browsec VPN, a popular privacy-focused extension with over six million users, the use of an HTTP endpoint during the uninstall process sends user identifiers and usage stats without encryption. The extension’s configuration allows it to connect to insecure websites, further widening the attack surface.
Data Leaks Across the Board
Other extensions are guilty of similar issues. SEMRush Rank and PI Rank, both designed to show website popularity, were found to send full URLs of visited sites over HTTP to third-party servers. This makes it easy for a network observer to build detailed logs of a user’s browsing habits.
MSN New Tab and MSN Homepage, with hundreds of thousands of users, transmit machine IDs and other device details. These identifiers remain stable over time, allowing adversaries to link multiple sessions and build profiles that persist across browsing activity.
Even DualSafe Password Manager, which handles sensitive information by nature, was caught sending telemetry data over HTTP. While no passwords were leaked, the fact that any part of the extension uses unencrypted traffic raises concerns about its overall design.
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security commented on this, stating, “This incident highlights a critical gap in extension security – even popular Chrome extensions can put users at risk if developers cut corners. Transmitting data over unencrypted HTTP and hard-coding secrets exposes users to profiling, phishing and adversary-in-the-middle attacks – especially on unsecured networks.“
He warned of consequences for unsuspecting users and advised that “Organizations should take immediate action by enforcing strict controls around browser extension usage, managing secrets securely and monitoring for suspicious behaviour across endpoints.“
Privacy and Data Security Threat
Although none of the extensions were found to leak passwords or financial data directly, the exposure of machine identifiers, browsing habits, and telemetry is far from harmless. Attackers can use this data to track users across websites, deliver targeted phishing campaigns, or impersonate device telemetry for malicious purposes.
While theoretical, NordVPN’s latest findings spotted more than 94 billion browser cookies on the dark web. When combined with the data leaks highlighted by Symantec, the potential for damage is significant.
Developers who include hardcoded API keys or secrets inside their extensions add another layer of risk. If an attacker gets hold of these credentials, they can misuse them to impersonate the extension, send forged data, or even inflate service usage leading to financial costs or account bans for the developers.
What Users Can Do
Symantec has contacted the developers involved, and only DualSafe Password Manager has fixed the issue. Yet, users who have installed any of the affected extensions are advised to remove them until the developers fix the issues. Even popular and well-reviewed extensions can make unsafe design choices that go unnoticed for years.
Hckread.com recommends checking the permissions an extension asks for, avoiding unknown publishers, and using a trusted security solution. Above all, any tool that promises privacy or security should be examined carefully for how it handles your data.
