It is tempting to believe that widely used browser extensions are required to follow strict security practices to protect users of popular browsers like Google Chrome, but this is not always the case. The ecosystem of thousands of Chrome extensions is wilder and less adherent to strong security measures than many would expect. Many users rely on extensions to enhance browser capabilities, including functionalities in privacy, analytics, and convenience. However, it is also important to be aware of the potential risks.
Unveiling Critical Flaws
Symantec recently discovered unencrypted HTTP transmissions from a number of popular Chrome extensions: SEMRush Rank, PI Rank, MSN New Tab, MSN Homepage, DualSafe Password Manager & Digital Vault, and Browsec VPN. These extensions transmit sensitive data via simple HTTP, exposing data in plaintext form, including browsing domains, machine IDs, operating system details, usage analytics, and uninstall information.
This demonstrates a massive vulnerability in these extensions and the extension landscape at large. Unencrypted transmissions open up the possibility of adversary-in-the-middle attacks arising from bad actors intercepting data and potentially even modifying it. While the interception of this information could be bad enough just from the risk of eavesdropping, the chance of attackers manipulating this data can cause far more extensive damage as well.
Secrets in the Code: Hardcoded Credentials
In addition to the unencrypted transmission of information, insecure coding practices also contribute to the security gaps in browser extensions. Extensions found by Symantec to have API keys, secrets, and tokens built into the code include Antidote Connector, Avast Online Security & Privacy, Awesome Screen Recorder & Screenshot, and Microsoft Editor.
Embedding credentials into the code transmitted by an extension leads to the exposure of this sensitive data when extensions do not use secure practices. The dangers posed by API keys and tokens embedded into code could lead to significant repercussions if bad actors take advantage of credentials for ends like profiling, data correlation, and targeted attacks. Cybercriminals can use this ill-gotten data from browser extensions to host illegal content, transmit fraudulent telemetry data, drive up API costs, and more.
Broader Risk: The InboxSDK Vulnerability
Unfortunately, the risk of embedding credentials into an extension’s code is not limited to the browser extensions that use these insecure coding practices. One of the browser extensions embedding credentials into its code, Antidote Connector, incorporates InboxSDK, a third-party library containing hard-coded credentials like API keys. This larger vulnerability can lead to the exposure of this sensitive data. In total, over 90 extensions are affected by this flaw due to the use of shared SDKs.
Expert Insights and Recommendations
Cybersecurity professionals weighing in on this security discovery emphasize the importance of strong security policies and coding practices. “Companies need to adopt a foundational strategy for managing their digital presence to secure Google Chrome environments,” according to Eric Schwake, Director of Cybersecurity Strategy at Salt Security. In order to do so, it is crucial to enforce secure coding practices for internal apps and extensions, “to ensure API communications are encrypted using HTTPS and strictly prevent hard-coding API keys or sensitive tokens in client-side code.”
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, recommends that organizations “take immediate action by enforcing strict controls around browser extension usage, managing secrets securely, and monitoring for suspicious behavior across endpoints.” While many assume that extensions are secure by default, companies “must scrutinize all browser extensions to protect sensitive data and identities.”
Future Implications
The discovery of such a major security gap in many popular browser extensions may lead to industry reactions to increase security. Companies should take this as a sign to tighten their security policies regarding browser extensions and applications, while developers should use it as a call to ensure secure coding practices, avoiding the pitfalls of hard-coded credentials and unencrypted transmissions.
Regulatory responses could potentially arise as regulatory bodies see fit to address the state of browser extension security. Governing institutions and industry leaders may put pressure on developers and organizations alike to adopt and enforce secure practices to close the gap in extension security.
Staying Ahead: Ensuring Robust Security Measures
In response to the browser extension security landscape, organizations should ensure that the applications and extensions in use, whether they are developed internally or externally, are held to stringent security standards to protect valuable data and privileged user accounts. Developers should take steps to ensure secure coding, such as developing extensions that do not transmit data through unencrypted HTTP code or hard-code sensitive secrets. Users are also encouraged to be vigilant and diligent in vetting browser extensions for secure coding practices before installing them.
