Chrome Extensions Flaw Exposes Sensitive API Keys, secrets and Tokens

A critical security flaw has been uncovered in numerous popular Chrome extensions, affecting millions of users worldwide by exposing sensitive credentials such as API keys, secrets, and tokens directly within their source code.

This alarming oversight in modern development practices has left digital doors wide open for cyber attackers to exploit, potentially leading to data manipulation, financial losses, and privacy breaches.

Hardcoded credentials in JavaScript files of browser extensions are accessible to anyone who inspects the extension packages, allowing malicious actors to craft harmful requests ranging from spamming analytics endpoints to hijacking cloud services.

According to Symantec Report, this vulnerability spans a variety of extensions, each serving different functions from online security tools to productivity aids with user bases in the millions, amplifying the scale of the threat.

Vulnerability in Popular Browser Add-ons

Delving into the technical specifics, several high-profile Chrome extensions have been found embedding sensitive data directly in their client-side code, a practice that defies basic security principles.

For instance, extensions like Avast Online Security & Privacy and AVG Online Security, with a combined user base of over 7.6 million, hardcode Google Analytics 4 (GA4) API secrets in their scripts, making it trivial for attackers to flood GA4 endpoints with fraudulent events, thereby corrupting metrics or inflating costs.

Similarly, Equatio Math Made Digital, used by over 5 million users, embeds an Azure API key for speech recognition, visible via debugging tools, which could lead to unauthorized usage spikes and exorbitant billing for developers.

Even more concerning are extensions like Awesome Screen Recorder & Screenshot and Scrolling Screenshot Tool & Screen Capture, which expose AWS access keys within code used for S3 bucket uploads.

With over 3.4 million users collectively, these extensions risk enabling attackers to upload malicious content or pivot to broader AWS resources if permissions are overly permissive.

Technical Breakdown of Exposed Credentials and Risks

Microsoft Editor, with 2 million users, reveals a telemetry key that could be exploited to spoof analytics data, while Trust Wallet, a cryptocurrency extension with 1 million users, leaks a fiat ramps API key, raising fears of manipulated financial transactions.

Other notable cases include TravelArrow exposing a geolocation API key and Watch2Gether leaking a Tenor GIF search API key, demonstrating that even seemingly benign credentials can be abused to exhaust quotas or incur costs.

The use of the third-party library InboxSDK in over 90 extensions, including Antidote Connector, further compounds the issue by embedding Google API keys in request headers, potentially allowing access to Gmail data or endpoint spamming.

While some developers, such as Watch2Gether and Antidote Connector, have patched these flaws in recent updates by moving to secure authentication flows, the pervasive nature of this vulnerability highlights a systemic issue in extension development.

The core problem lies in storing sensitive credentials client-side instead of routing operations through secure backend servers with protected environment variables.

Developers must adopt practices like regular key rotation, least privilege principles, and usage monitoring to mitigate risks, ensuring user trust and operational integrity are maintained in an increasingly hostile digital landscape.

Indicators of Compromise (IOC)

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here