Chrome extension privacy promises undone by hardcoded secrets, leaky HTTP

From the extensions Guo mentioned, SEMRush Rank and PI Rank transmit users’ full browsing domains in plaintext to rank.trellian.com, effectively exposing their web activity. MSN New Tab/Homepage sends a persistent Machine ID, OS version, and extension version using an unencrypted SendPingDetails request, data that can be used to track users across sessions.  

Additionally, DualSafe Password Manager, while not leaking passwords, still pushes analytics like browser language and version to stats.itopupdate.com over HTTP.  

“We used to call these (extensions) BHO’s – browser helper objects – and this was a very common way to compromise browsers for various outcomes, ranging from stealing credentials and spying on users, to simply establishing ways to very uniquely identify and track users across the internet,” said BugCrowd CISO Trey Ford. “Ultimately, this can manifest as a form of malware, and unavoidably create a new attack surface for miscreants to attack and compromise a very secure browsing experience.”