Unmasking Insecure HTTP Data Leaks in Popular Chrome Extensions

Many users assume that popular Chrome extensions adhere to strong security practices, especially when the extensions themselves promise functionality related to privacy, ranking analytics, or convenient new tab features. However, recent findings show that several widely used extensions—SEMRush Rank, PI Rank, MSN New Tab/Homepage, DualSafe Password Manager, and Browsec VPN—unintentionally transmit sensitive data over simple HTTP. By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext. Because the traffic is unencrypted, a Man-in-the-Middle (MITM) attacker on the same network can intercept and, in some cases, even modify this data, leading to far more dangerous scenarios than simple eavesdropping. This blog illustrates the exact points where these leaks occur, why they are problematic, and how the resulting disclosures can be exploited for profiling, data correlation, or targeted attacks.

SEMRush Rank and PI Rank: Unencrypted browsing domains

Two extensions, SEMRush Rank (ID: idbhoeaiokcojcgappfigpifhpkjgmab) with over 30,000 users, and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl), exhibit identical patterns in their code. Both rely on a service URL of the form shown in Figure 1.

The variable “url” corresponds to the user’s currently visited domain. The extensions thus call rank.trellian.com over plain HTTP, appending the entire domain name in the query string. Because HTTP provides no encryption, anyone with the ability to sniff network traffic can read that domain name. On a public Wi-Fi or compromised network, this means user browsing activity is visible to attackers. It is particularly concerning that these extensions are intended to display website rank, which suggests users might frequently engage them, causing repeated unencrypted calls that reveal domains the user is visiting.

Browsec VPN – Free VPN for Chrome: Uninstall telemetry and HTTP endpoints

Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh) claims to have more than 6 million users. While it promises a secure and private web experience, its uninstall flow and manifest file illustrate a different story. The extension sets an uninstall URL in the background code. Notice the uninstallURL is chosen based on whether the build is “qa” or not, defaulting to an HTTP endpoint at browsec-uninstall.s3-website.eu-central-1.amazonaws.com. The code then gathers usage statistics (like countryChanges, iconClicks, and others), along with a unique user ID (userId), and appends them as query parameters. Finally, it calls chrome.runtime.setUninstallURL to ensure this plaintext link is opened when the user uninstalls Browsec.

Even more revealing is the Browsec VPN manifest, which allows connect-src to a long list of HTTP domains such as http://trafcfy.com and many similar endpoints. This wide array of unsecured hosts suggests the extension is permitted to initiate plain HTTP connections to multiple third-party servers, undermining the expectation that a VPN-focused tool would always encrypt traffic. Because any unencrypted call is susceptible to interception or manipulation, a MITM attacker could hijack these Browsec VPN requests or responses, further jeopardizing user privacy.

MSN New Tab & MSN Homepage: Sending unique machine IDs

MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) with about 500,000 users, and MSN Homepage, Bing Search & News (ID: midiombanaceofjhodpdibeppmnamfcj) with 10,000 users, rely on a function named SendPingDetails. That function, shown in Figure 4, transmits a MachineID and other details over HTTP.

This code constructs a URL beginning with and appends parameters for the operating system (OS), the extension’s version (LV), and a unique machine identifier (MI). The MachineID is created by another function, guid, which generates a stable value to represent the user’s device. Because everything is sent in the clear (for example MI=someUniqueId123), it is easy to see how a passive listener on the network can collect that ID. Over time, repeated calls to the same ID can link multiple browsing sessions or physical locations, leading to sophisticated user profiling. The large user base of MSN New Tab in particular raises further concerns, since half a million or more users may be leaking OS details and stable machine IDs with each ping.

DualSafe Password Manager & Digital Vault: Insecure usage calls

DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc), with around 300,000 users, is another example of an extension sending unencrypted analytics. In the snippet shown in Figure 5, the statistics.getURL method constructs an HTTP-based request.

This function eventually causes the extension to make a call to stats.itopupdate.com over plain HTTP. The data includes the extension version, user’s browser language, and usage “type,” among other metrics. Although credentials or passwords do not appear to be leaked, the fact that a password manager uses unencrypted requests for telemetry erodes trust in its overall security posture. Network eavesdroppers or malicious access points can examine these calls to see how the extension is being used and possibly track the user’s environment. DualSafe has since addressed the problem in its latest release, switching the telemetry endpoint to HTTPS and encrypting all transmitted data.

Conclusion

All of the previously mentioned extensions make HTTP requests that expose user data in plaintext. While none of them appear to leak direct passwords, the variety of information that does leak includes browsing domains, unique machine IDs, OS details, usage metrics, and even final uninstall parameters. Unencrypted traffic is trivially accessible to anyone performing a Man-in-the-Middle attack, allowing them not only to collect but also to potentially manipulate this data in flight. That data can be combined or correlated by any party who can intercept the connection, including malicious hotspots, internet service providers, and other eavesdroppers.

Users of these extensions should consider removing them until the developers address the insecure calls. The risk is not just theoretical; unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks. Developers, for their part, should switch to HTTPS whenever they send or receive data, especially if the purpose of their extension is to protect user privacy or provide security-related features. The overarching lesson is that a large install base or a well-known brand does not necessarily ensure best practices around encryption. Extensions should be scrutinized for the protocols they use and the data they share, to ensure users’ information remains truly safe.

All of the developers whose extensions were discussed in this blog have been notified about the issues we uncovered.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Symantec recommends users follow these best practices to stay protected from browser extension threats:

• Install a suitable security app, such as Symantec Endpoint Protection, to protect your device and data
• Refrain from downloading extensions from unfamiliar sites and only install extensions from trusted sources
• Pay close attention to the permissions that extensions request
• Make frequent backups of important data