A new wave of security concerns has emerged within the Chrome Web Store after researchers uncovered widespread leakage of API keys, secrets, and tokens across several popular browser extensions.
Hardcoded credentials sensitive information directly embedded within JavaScript source code pose a significant threat, making the affected extensions easy targets for attackers who only need to inspect extension packages to extract the secrets.
Exploitation Pathways
The vulnerability arises primarily from the direct inclusion of sensitive credentials such as API keys and secret tokens within extension code.
Once available in the public domain, these secrets can be harvested by malicious actors, enabling them to carry out attacks ranging from cost-incurring service abuse to direct compromise of analytics and financial systems.
For example, Avast Online Security & Privacy (with over 7 million users) and AVG Online Security (over 600,000 users) each contained hardcoded Google Analytics 4 (GA4) API secrets.
According to Symantec Report, attackers can use these secrets to send fraudulent analytics events, corrupting valuable metrics and potentially incurring substantial cloud service charges for the developers.
Similarly, Equatio Math Made Digital (5 million users) was found to embed an Azure API key for speech recognition directly in its client-side code, leaving the associated subscription susceptible to resource exhaustion and financial exploitation.
Another egregious instance involves the Awesome Screen Recorder & Screenshot and Scrolling Screenshot Tool & Screen Capture extensions.
Each exposes AWS access keys used for screenshot uploads, which can allow attackers to script unauthorized uploads to Amazon S3 buckets.
Threat actors could leverage these credentials to store illegal content, distribute malware, or even pivot to broader AWS account abuse should the keys be overprivileged.
Moreover, Microsoft Editor Spelling & Grammar Checker exposed telemetry keys, which, if misused, could result in skewed analytics or unwarranted charges due to telemetry spamming.
A notable supply-chain dimension was revealed in extensions relying on the InboxSDK library, such as Antidote Connector.
Over 90 extensions using this library were affected, where a hardcoded Google API key in request headers could lead to unauthorized Gmail interactions or developer quota exhaustion.
Other high-profile leaks include Watch2Gether revealing a Tenor GIF API key, Trust Wallet exposing a fiat ramps API key (potentially endangering crypto purchase flows), and TravelArrow leaking a geolocation API key, all of which could result in financial, operational, or reputational damage.
Underlying Causes
The principal security oversight in these cases is the failure to adhere to best practices for API credential management.
Storing secrets client-side, whether for convenience or speed, directly contravenes principles of least privilege and secure software design.
As these incidents highlight, any exposed API key, irrespective of perceived importance, is susceptible to abuse or monetization.
To mitigate such risks, experts recommend routing sensitive operations through a secure, server-side backend where credentials can be protected using environment variables or specialized secret management systems.
Periodic key rotation, strict access controls, and active monitoring for key usage anomalies are also essential.
Developers are urged to update affected extensions swiftly, refactoring code to eliminate hardcoded secrets and implementing robust authentication mechanisms, thus safeguarding user trust and service reliability.
End users should install extensions exclusively from trusted sources, scrutinize permission requests, and maintain updated security solutions.
Indicators of Compromise (IOC)
| Name | Extension ID | User Count | Credential Exposed |
|---|---|---|---|
| Avast Online Security & Privacy | gomekmidlodglbbmalcneegieacbdmki | 7,000,000 | GA4 API Secret |
| AVG Online Security | nbmoafcmbajniiapeidgficgifbfmjfo | 600,000 | GA4 API Secret |
| Equatio – Math Made Digital | hjngolefdpdnooamgdldlkjgmdcmcjnc | 5,000,000 | Azure API Key |
| Awesome Screen Recorder & Screenshot | nlipoenfbbikpbjkfpfillcgkoblgpmj | 3,000,000 | AWS Access Key |
| Scrolling Screenshot Tool & Screen Capture | mfpiaehgjbbfednooihadalhehabhcjo | 400,000 | AWS Access Key |
| Microsoft Editor: Spelling & Grammar Checker | gpaiobkfhnonedkhhfjpmhdalgeoebfa | 2,000,000 | Microsoft Telemetry Key |
| Antidote Connector | lmbopdiikkamfphhgcckcjhojnokgfeo | 1,000,000 | Google API Key |
| Watch2Gether | cimpffimgeipdhnhjohpbehjkcdpjolg | 1,000,000 | Tenor GIF Search API Key |
| Trust Wallet | egjidjbpglichdcondbcbdnbeeppgdph | 1,000,000 | Fiat Ramp API Key |
| Speed Dial [FVD] – New Tab Page, 3D, Sync | llaficoajjainaijghjlofdfmbjpebpa | 500,000 | GA4 API Secret |
| SellerSprite – Amazon Research Tool | lnbmbgocenenhhhdojdielgnmeflbnfb | 400,000 | GA4 API Secret |
| TravelArrow – Your Virtual Travel Agent | coplmfnphahpcknbchcehdikbdieognn | 300,000 | Geolocation API Key |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
