Research from Symatec reveals 6 widely used Google Chrome extensions unintentionally transmit user data over simple HTTP. The extensions are: 

• SEMRush Rank
• PI Rank
• MSN New Tab
• MSN Homepage
• DualSafe Password Manager
• Browsec VPN

In doing so, user information such as machine IDs, browsing domains, OS details, usage analytics and more are exposed. Since the traffic is unencrypted, a Man-in-the-Middle (MITM) attacker could intercept or modify the data. 

Below, security leaders discuss these risks and offer advice for mitigating them. 

Security Leaders Weigh In

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

The emergence of widely used Google Chrome extensions that leak API keys and transmit data without encryption through HTTP poses a serious and complex threat. The lack of encryption for sensitive information, such as browsing domains and machine IDs, significantly endangers user privacy, making them susceptible to man-in-the-middle attacks, where malicious entities can intercept or modify data. Hard-coding API keys and secrets directly into JavaScript makes these credentials easily accessible to attackers. They can exploit these keys maliciously, including inflating API costs, hosting illicit content, or replicating sensitive transactions, such as cryptocurrency orders.

Companies need to adopt a foundational strategy for managing their digital presence to secure Google Chrome environments. Initially, they should implement stringent policies for approved browser extensions and ensure thorough vetting, emphasizing secure communication and credential management. Furthermore, secure coding practices must be enforced for any internal extensions or applications to ensure API communications are encrypted using HTTPS and strictly prevent hard-coding API keys or sensitive tokens in client-side code. It is crucial to adopt a proactive API posture governance to identify all APIs, enforce secure transport layers, and ensure robust authentication and authorization mechanisms are in place to shield against the exploitation of these vulnerable client-side elements.

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security: 

This incident highlights a critical gap in extension security — even popular Chrome extensions can put users at risk if developers cut corners. Transmitting data over unencrypted HTTP and hard-coding secrets exposes users to profiling, phishing and adversary-in-the-middle attacks — especially on unsecured networks.

Organizations should take immediate action by enforcing strict controls around browser extension usage, managing secrets securely and monitoring for suspicious behavior across endpoints. These are essential elements to a strong cybersecurity posture. Just because a browser extension is very popular and has a large user base doesn’t mean it’s secure. Businesses must scrutinize all browser extensions to protect sensitive data and identities.

Trey Ford, Chief Information Security Officer at Bugcrowd:

Safety, security, and privacy are strong motivators for everyone online — trust is something we all aspire to find.

Google's Chrome team does the hard work of defending a massive population of users who do not fully understand the risk of using these browser extensions- and they are constantly defending and raising that bar of performance. We used to call these BHO’s — browser helper objects — and this was a very common way to compromise browsers for various outcomes, ranging from stealing credentials and spying on users, to simply establishing ways to very uniquely identify and track users across the internet. Ultimately this can manifest as a form of malware, and unavoidably create new attack surface for miscreants to attack and compromise a very secure browsing experience.

Google has both the vantage point, and duty, to enforce a standard of behavior and care in their add-on marketplace.