Plain-Text Web Requests Leave Users Exposed

When Symantec researcher Yuanjing Guo took a closer look at a handful of high-profile Google Chrome extensions, he discovered a surprisingly simple flaw: many of them still reach out to the internet over old-fashioned HTTP instead of secure HTTPS. That choice, he warned this week, means every byte those add-ons transmit is readable—and even alterable—by anyone sharing the same network, whether it’s a coffee-shop Wi-Fi hotspot or an office LAN.

Guo’s tests showed that the extensions freely passed along the sites a person was visiting, their operating system, the unique ID of their computer, usage statistics, and, in one case, an uninstall notice. Nothing was encrypted in transit, so an attacker sitting between the user and the destination server could steal or tamper with the data before it arrived. It is the classic “person-in-the-middle” scenario that security professionals have been warning about for years, yet it still slips into production software with unsettling frequency.

Among the plug-ins named were SEMRush Rank and PI Rank, which phone home to “rank.trellian.com” over HTTP, as well as Browsec VPN, which calls down an unprotected link when a user removes the extension. Two Microsoft-branded new-tab replacements also sent their telemetry through unencrypted channels, and, perhaps most startling, the DualSafe Password Manager chatted with its analytics server in clear text—hardly the behavior users expect from software marketed as a security tool.

Secrets Hidden in JavaScript Source

The story did not end with insecure traffic. Symantec’s scan also uncovered a second, more subtle risk: hard-coded credentials sitting in the public JavaScript files shipped with several extensions. These baked-in secrets ranged from Google Analytics tokens to Microsoft Azure keys and even Amazon Web Services credentials—all placed directly in code that any motivated attacker could inspect with a simple browser DevTools window.

Why does that matter? An exposed key for Google’s Analytics platform, for instance, would let a prankster or rival developer fire thousands of bogus events at the tracking endpoint, skewing a company’s marketing dashboard and making genuine user patterns impossible to read. An AWS key tied to S3, meanwhile, could let a malicious actor store contraband files—pirated movies, malware, worse—inside the developer’s own cloud bucket while the rightful owner got stuck with the bill.

Extensions cited in this category included Online Security & Privacy, AVG Online Security, Speed Dial [FVD], and SellerSprite. Another plug-in, Equatio – Math Made Digital, shipped with an Azure speech-recognition key. Screenshot utilities, grammar checkers, crypto wallets, and even a travel-planning helper were all caught exposing some form of secret. According to Guo, a library called InboxSDK carried within the Antidote Connector plug-in exposes credentials as well, and more than ninety other extensions rely on that same toolkit.

What the Risks Look Like in the Real World

Leakage of usernames or passwords did not turn up in the tests, but that should not lull anyone into complacency. Plain-text telemetry can be pieced together to build a profile of where a person works, which news sources they prefer, how often they log in, and what browser they favor—information ripe for spear-phishing or social-engineering stunts. Worse, if an attacker can tamper with the data in transit, they could inject commands or malicious links that ride the legitimate HTTP request straight back to the extension and, potentially, the user’s machine.

The embedded-secret issue is equally troubling. Cloud providers typically charge per request, per gigabyte stored, or per second of compute time. A leaked key lets a criminal drive those usage numbers sky-high, leaving the developer, or sometimes the company that employs them, with a hefty bill or an account suspension. In the cryptocurrency space, a captured key could even be used to spoof transaction orders, placing real money—or tokens representing real money—at risk.

Advice for Developers and Anyone Who Installs Extensions

Guo’s prescription is straightforward: always send data over HTTPS, never hide credentials in client-side code, and rotate any token that does leak as quickly as possible. Secrets belong on a locked-down server, preferably behind a dedicated secrets-management service, not in a JavaScript file shipped to millions of browsers.

For everyday users, the safest move is to uninstall the affected extensions until updates arrive. Popularity or a household brand name does not guarantee sound security practices, as this report makes clear. Before adding any new tool to Chrome—or any browser—take a minute to skim the reviews, glance at the developer’s website, and, if you are technically inclined, inspect the network traffic in your browser’s developer panel. If you spot HTTP where HTTPS should be, steer clear.

A Reminder That Convenience Still Needs Caution

Browser extensions are small, easy to install, and often free, which makes them irresistible for boosting productivity, blocking ads, or checking a website’s search-engine rank. But each one is a miniature piece of software with its own privileges and responsibilities. As Symantec’s findings emphasize, even well-known plug-ins with hundreds of thousands of downloads can harbor basic, avoidable mistakes. Until developers close those gaps, the burden falls on users to stay alert, keep their add-ons up to date, and, when in doubt, hit “Remove” before a silent eavesdropper does something they will regret.