Extension code uses hardcoded credentials: Guo added that hardcoded credentials, such as API keys, secrets, and tokens, are exposed within popular extensions’ JavaScript, making them accessible to anyone who inspects the extension’s source code. For instance, Avast Online Security and Privacy and AVG Online Security extensions, aimed at browsing privacy and security, both contain hardcoded Google Analytics 4 (GA4) API secrets. An attacker discovering these secrets could misuse them to send fraudulent data to the GA4 endpoint. Other extensions like Awesome Screen Recorder & Screenshot and Scrolling Screenshot Tool & Screen Capture reveal AWS S3 access keys in their code. “Hardcoding API keys and secrets directly into JavaScript makes these credentials easily accessible to attackers,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “They can exploit these keys maliciously, including inflating API costs, hosting illicit content, or replicating sensitive transactions, such as cryptocurrency orders.” Microsoft Editor, an AI-powered editing extension for Chrome and Edge, is also found exposing a telemetry key, StatsApiKey, which can be exploited to generate fake analytics data, potentially disrupting Microsoft’s data collection and analysis processes.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4003545/chrome-extension-privacy-promises-undone-by-hardcoded-secrets-leaky-http.html
