A new investigation into several high-profile Chrome extensions has revealed that many transmit sensitive user data over unencrypted HTTP, leaving users wide open to profiling, interception, and even manipulation by malicious actors lurking on the same network.
The names involved are familiar. SEMRush Rank. PI Rank. MSN New Tab. DualSafe Password Manager. Even Browsec VPN. Together, these extensions have tens of millions of users. They’re pitched as tools to improve your browser, protect your privacy, or simplify your workflow. But under the hood, they tell a different story.
Researchers discovered that these extensions transmit data like browsing domains, machine IDs, operating system details, usage analytics, and uninstall telemetry, completely unencrypted. On a coffee shop Wi-Fi or hotel network, this data is vulnerable to anyone running a Man-in-the-Middle (MITM) attack.Â
And in some cases, the data isn’t only visible, it’s alterable, too.
Rank Trackers Reveal Where You Go
SEMRush Rank and PI Rank, both installed by tens of thousands, use the same pattern. These extensions monitor your browsing domains, then ping rank.trellian.com to fetch ranking data. But they do it over HTTP. The full domain you’re visiting is appended to the URL and sent in the clear.
There’s no encryption. No obfuscation. Just raw, readable data flowing through the wires. An attacker with a packet sniffer could build a map of a user’s web habits in minutes. What’s worse? These extensions are designed to run frequently. With every ranked site visit, the data leaks again. And again. And again.
Browsec VPN: Privacy Promises, Broken Links
If any extension should know better, it’s a VPN. Browsec VPN boasts 6 million users and markets itself as a shield for online privacy. But its background scripts paint a more troubling picture.
When a user uninstalls the extension, a unique URL is fired off, one that contains a user ID, click metrics, country changes, and more. That URL? Served over HTTP from a public AWS endpoint. No encryption. All data exposed.
The manifest file goes further. It allows connections to a slew of HTTP-only domains like trafcfy.com. These aren’t edge cases or test URLs. They’re live endpoints that Browsec is allowed to contact, unencrypted.
A VPN extension that exposes telemetry in plaintext and connects to unsecured domains? That’s not just ironic. It’s negligent.
Microsoft’s Extensions Leak Machine IDs
MSN New Tab and MSN Homepage extensions (together installed by more than half a million users) also transmit sensitive data in plaintext. A function called SendPingDetails sends the user’s OS, extension version, and a unique MachineID to a remote server. Over HTTP.
That MachineID is stable. Meaning it stays the same across sessions. Meaning it can be used to track a user’s activity over time. Combine that with OS details and timestamps, and you have a powerful profiling tool, delivered courtesy of an extension many users install by default.
DualSafe Password Manager Sends Stats Unencrypted
The irony doesn’t stop with VPNs. DualSafe Password Manager, with over 300,000 installs, uses HTTP to report telemetry like version numbers, browser language, and usage type. The data travels to stats.itopupdate.com without encryption.
No, there’s no evidence that passwords are leaked. But if you’re trusting an app to manage your passwords, every bit of its security matters. Telemetry sent unencrypted may seem low risk, until it’s used to map your digital fingerprint or exploited to inject malicious updates.
The good news? DualSafe has since patched the issue, switching to HTTPS for its telemetry endpoint. But the breach of trust remains. This isn’t just about nosy hackers or bored teens with packet sniffers. HTTP data can be intercepted and modified in transit. That means a malefactor could inject malicious content, redirect requests, or serve fake updates.
On a public network, this can happen fast and invisibly. The threat isn’t theoretical, it’s practical, scalable, and already in the wild.
Security by Popularity? Not so Much
These are not fringe extensions from obscure developers. They are promoted by marketing giants, cybersecurity firms, and household brands. Yet their use of insecure HTTP for transmitting sensitive data shows a stunning lack of due diligence.Â
Why does it matter? Because trust in browser extensions is paper-thin. Users already struggle to distinguish between safe and shady add-ons. When privacy tools betray their core mission, it fuels a deeper crisis: who, if anyone, is actually safeguarding our browser data?
A Critical Gap in Extension Security
According to Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, this incident highlights a critical gap in extension security, even popular Chrome extensions can put users at risk if developers cut corners.
“Transmitting data over unencrypted HTTP and hard-coding secrets exposes users to profiling, phishing and adversary-in-the-middle attacks – especially on unsecured networks. Organizations should take immediate action by enforcing strict controls around browser extension usage, managing secrets securely and monitoring for suspicious behavior across endpoints. These are essential elements to a strong cybersecurity posture. Just because a browser extension is very popular and has a large user base doesn’t mean it’s secure. Businesses must scrutinize all browser extensions to protect sensitive data and identities,” adds Tiquet.
What You Can Do
If you use any of these extensions, consider uninstalling them until developers issue proper fixes. At a minimum, inspect their permissions and review their network behavior using tools like Chrome’s Developer Console or extension source viewers.
From a security perspective, here’s what you should do next:
- Use a trusted security app to monitor extension activity.Â
- Stick to vetted sources. Install only from the official Chrome Web Store, but even then, inspect the reviews and changelogs.Â
- Review permissions. If an extension asks for more access than it needs, think twice.Â
- Back up your data. An extension compromise could cascade into broader account access.Â
Managing Digital Presence
Eric Schwake, Director of Cybersecurity Strategy at Salt Security, says companies need to adopt a foundational strategy for managing their digital presence to secure Google Chrome environments. “Initially, they should implement stringent policies for approved browser extensions and ensure thorough vetting, emphasizing secure communication and credential management. Furthermore, secure coding practices must be enforced for any internal extensions or applications to ensure API communications are encrypted using HTTPS and strictly prevent hard-coding API keys or sensitive tokens in client-side code. It is crucial to adopt a proactive API posture governance to identify all APIs, enforce secure transport layers, and ensure robust authentication and authorization mechanisms are in place to shield against the exploitation of these vulnerable client-side elements.”
Enforcing a Standard of Behavior
“Safety, security, and privacy are strong motivators for everyone online – trust is something we all aspire to find,” says Trey Ford, Chief Information Security Officer at Bugcrowd. “Google’s Chrome team does the hard work of defending a massive population of users who do not fully understand the risk of using these browser extensions- and they are constantly defending and raising that bar of performance. We used to call these BHO’s – browser helper objects – and this was a very common way to compromise browsers for various outcomes, ranging from stealing credentials and spying on users, to simply establishing ways to very uniquely identify and track users across the internet. Ultimately this can manifest as a form of malware, and unavoidably create new attack surface for miscreants to attack and compromise a very secure browsing experience. Google has both the vantage point, and duty, to enforce a standard of behavior and care in their add-on marketplace.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.