Ddos 
A new report by Symantec Threat Hunter Team uncovers that several widely-used Chrome extensions—some with millions of active users—are silently leaking sensitive user data over unencrypted HTTP connections, putting user privacy and security at serious risk.
Despite advertising features like secure browsing, analytics, or convenient user interfaces, extensions including SEMRush Rank, PI Rank, MSN New Tab, Browsec VPN, and DualSafe Password Manager are transmitting crucial information such as browsing domains, machine IDs, operating system details, and usage analytics in plaintext, exposing users to potential Man-in-the-Middle (MITM) attacks.
Two SEO tools—SEMRush Rank and PI Rank—were found sending users’ visited domains directly over HTTP to rank.trellian.com, with the domain data appended in query strings. These requests occur every time a user interacts with the ranking features, broadcasting browsing behavior to anyone capable of monitoring network traffic.
“Because HTTP provides no encryption, anyone with the ability to sniff network traffic can read that domain name,” the report warns.
Even more surprising is the behavior of Browsec VPN, an extension claiming to provide “a secure and private web experience” to its 6 million users. Symantec researchers discovered that its uninstall process leaks usage statistics and a unique user ID via HTTP.
“The extension sets an uninstall URL… defaulting to an HTTP endpoint… and appends usage statistics along with a unique user ID.”
Furthermore, Browsec’s manifest permits connections to dozens of insecure HTTP endpoints, a glaring contradiction to its VPN branding.
Microsoft-branded extensions, including MSN New Tab and MSN Homepage, were found leaking persistent Machine IDs, operating system types, and version numbers.
“It is easy to see how a passive listener on the network can collect that ID… leading to sophisticated user profiling.”
With over 500,000 installations, these extensions can expose repeated requests from individual users over time, effectively building a fingerprint of their devices and browsing habits.
Even security-focused tools like DualSafe Password Manager & Digital Vault were found sending telemetry data—such as extension version, browser language, and usage type—unencrypted to stats.itopupdate.com. Although no credentials were observed in transmission, the irony of a password manager leaking any telemetry via insecure channels wasn’t lost on researchers.
“The fact that a password manager uses unencrypted requests for telemetry erodes trust in its overall security posture.”
The DualSafe team has since patched the vulnerability, switching to HTTPS for all outbound telemetry.
The report concludes with a warning to users and developers alike:
“Unencrypted traffic is trivially accessible to anyone performing a Man-in-the-Middle attack… The risk is not just theoretical.”
Symantec advises users of the affected extensions to uninstall them immediately unless updates have been issued to switch to encrypted communications. Developers are urged to adopt HTTPS by default, especially when handling any user-related data—even analytics.
Donate