Threat Research

Unmasking Insecure HTTP Data Leaks in Popular Chrome Extensions

Symantec
Unmasking Insecure HTTP Data Leaks in Popular Chrome Extensions

Several browser extensions were found to transmit telemetry data over unencrypted HTTP connections, risking exposure of user information to network attackers. Although direct passwords were not leaked, the insecure transmission of usage metrics and system details poses significant privacy concerns. #DualSafe #BrowserExtensions #TelemetryLeak

Keypoints

  • Several browser extensions send telemetry data over plain HTTP, exposing user information in transit.
  • The transmitted data includes extension version, browser language, usage type, browsing domains, unique machine IDs, OS details, and uninstall parameters.
  • No direct passwords or credentials have been found to leak, but the unsecured data can still be exploited for profiling or targeted attacks.
  • DualSafe addressed the vulnerability by switching its telemetry endpoint to HTTPS and encrypting the transmitted data.
  • Unencrypted traffic enables attackers conducting Man-in-the-Middle attacks to capture or manipulate data sent by extensions.
  • Users are advised to remove or avoid extensions that fail to use secure transmission protocols until fixed by developers.
  • Developers should adopt HTTPS for all data exchanges, especially for security or privacy-oriented extensions.
  • Symantec recommends installing endpoint protection, verifying extension sources, monitoring permissions, and maintaining regular backups for protection.

MITRE Techniques

  • [T1557] Man-in-the-Middle – Attackers can eavesdrop on unencrypted HTTP traffic from browser extensions to intercept or modify data (‘unencrypted traffic is trivially accessible to anyone performing a Man-in-the-Middle attack’).
  • [T1598] Phishing – Captured telemetry data can be used for profiling users to launch targeted phishing attacks (‘The data can be used for profiling, phishing, or other targeted attacks’).
  • [T1071] Application Layer Protocol – Extensions used insecure HTTP protocol for transmitting telemetry instead of secure HTTPS (‘extension to make a call to stats.itopupdate.com over plain HTTP’).

Indicators of Compromise

  • [Domain] Telemetry endpoint – stats.itopupdate.com used for sending unencrypted extension telemetry data.
  • [Data Types] Telemetry data – includes extension version, browser language, usage type, browsing domains, unique machine IDs, OS details.

Read more: https://www.security.com/threat-intelligence/chrome-extension-leaks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint