Ddos 
In a wide-reaching security investigation, Symantec has uncovered a troubling trend in the Chrome Web Store: hardcoded API keys, secrets, and tokens embedded directly in the source code of browser extensions. With over 21 million users collectively impacted, this oversight could lead to data manipulation, unauthorized access, financial loss, and even reputational damage for developers.
Symantec explains: “Once published, these secrets are exposed to anyone who cares to look; an attacker needs only inspect the extension package to extract them.”
From cloud resources to analytics endpoints, these embedded secrets can be abused in various ways—from spamming services and skewing telemetry to taking over infrastructure.
Symantec highlights several popular Chrome extensions with exposed secrets. Here’s a breakdown of key findings:
- Avast & AVG Online Security (7M+ users combined)
Vulnerability: Hardcoded Google Analytics 4 API Secret – “Any attacker… could bombard the GA4 endpoint with spurious events, corrupting metrics or inflating analytics costs.” - Equatio – Math Made Digital (5M+ users)
Vulnerability: Exposed Azure API key for speech recognition – “If a malicious user replays or spams these calls, the developer’s Azure subscription could see inflated costs or usage exhaustion.” - Awesome Screenshot & Scrolling Screenshot Tool (3.4M+ users)
Vulnerability: Embedded AWS S3 access keys – “An attacker could script uploads… potentially hosting illegal content, pushing malicious files, or even pivoting to other AWS resources.” - Microsoft Editor (2M+ users)
Vulnerability: Leaked telemetry key – “Anyone with this key can generate spoofed telemetry data… draining resources or locking the developer out of their own analytics suite.” - Antidote Connector (1M+ users)
Vulnerability: Google API key exposed via InboxSDK – “An attacker could… access or manipulate Gmail data, or spam Google’s endpoints until the developer’s quota is exhausted or blacklisted.” - Watch2Gether (1M+ users)
Vulnerability: Tenor GIF search API key – “Spamming large volumes of search requests could cause the developer’s account to get banned from the Tenor API.” - Trust Wallet (1M+ users)
Vulnerability: Fiat ramps API key exposed – “An attacker could… generate authentic-looking requests to buy or sell cryptocurrency on behalf of unsuspecting users.” - TravelArrow (300K users)
Vulnerability: Geolocation API key – “Attackers… could drive up usage, potentially leaving the developer with hefty bills or disabled API access.”
Symantec’s recommendations are: “Never store sensitive credentials on the client side. Instead, route privileged operations through a secure backend server.”
By embedding secrets directly into the code, developers unintentionally invite attackers to exploit services, drain resources, or compromise privacy. Symantec concludes: “Removing exposed secrets… keeps user trust intact, avoids financial losses, and ensures more reliable analytics for their products.”
Related Posts:
- Hardcoded Cloud Credentials Found in Popular Mobile Apps: A Major Security Flaw
- Symantec Exposes Widespread Mobile App Privacy Risks: Popular Apps Leak Sensitive Data
- Symantec: Many website inserted Cryptocurrency Mining Script
- Microsoft releases Windows Analytics tools to check Meltdown and Spectre protections
Donate