icon
June 26, 2025

The Hidden Dangers of Browser Extensions And How Quilr Helps You Regain Control

Mohamed Osman

Extensions can unintentionally leak sensitive data or embed exploitable secrets. Users should remove any of the affected extensions, and developers must adopt stronger practices, encrypting data, avoiding client‑side secrets, and rotating credentials to minimize risk.

These risks are far from theoretical. In recent cases, researchers uncovered popular Chrome extensions exposing sensitive data through unencrypted traffic and hard-coded API keys embedded in JavaScript. These issues pose serious security concerns across corporate and personal environments.

The Risks: Unencrypted Traffic & Embedded Secrets

Picture

Unencrypted HTTP traffic can be intercepted or modified via man-in-the-middle (MitM) attacks especially on public Wi‑Fi. This allows attackers to:

  • Steal session tokens or cookies
  • Modify responses to inject phishing payloads
  • Profile users and track activity without consent

Even more alarming are hard-coded secrets, API keys and tokens hardwired into the extension's source code. These can be:

  • Extracted easily by reverse-engineering
  • Repurposed to spam telemetry systems
  • Used to host illicit content on cloud services
  • Exploited to initiate unauthorized crypto transactions

Recent investigations uncovered multiple examples of risky behaviors in widely-installed Chrome extensions:

Several popular browser extensions have been found leaking sensitive data or exposing secrets.  

  • SEMRush Rank and PI Rank, meant to provide SEO ranking and visibility insights, transmit browsing activity over unencrypted HTTP to unsecured servers.  
  • DualSafe Password Manager, designed to securely store credentials, sends telemetry data without encryption - contradicting its core purpose.  
  • Awesome Screenshot & Screen Recorder, a tool for capturing and sharing screen content, embeds AWS access tokens directly in its code, risking cloud abuse.  
  • Equatio, an educational tool for digitizing math input via voice or handwriting, exposes a Microsoft Azure Speech API key, opening the door to unauthorized usage. Finally,  
  • Trust Wallet, a crypto wallet extension for managing digital assets, was discovered leaking API keys linked to crypto payment platforms potentially enabling financial abuse or impersonation.

These aren't obscure tools, many of them have millions of installs and five-star ratings. Popularity doesn’t mean security.

How Quilr Helps You See and Secure Extension Risks

Picture

Quilr gives your security team the visibility and control needed to manage browser extensions organization wide.

With Quilr, you get:

  • A complete inventory of every extension installed by employees, whether from the official Web Store, sideloaded via .crx, or force-installed by a third-party installer.
  • For each extension, Quilr collects:
  • Extension Name and ID
  • Version and Source
  • Installation Method (Web Store, sideloaded, policy-forced, etc.)
  • Detailed Permissions requested (e.g. read clipboard, access tabs, modify requests)

Whether you're defending a startup or a global enterprise, browser extensions remain an unmonitored blind spot in many environments.

Chrome extensions can serve useful purposes, but they also introduce silent risk. From exfiltrating browsing behavior to leaking cloud secrets, the impact can be severe and far-reaching.

Not part of the Quilr family yet?

If you're still investigating browser extensions manually and don't yet have automated tools doing the heavy lifting, here’s a practical set of guidelines to help you assess their security and privacy posture:

Check for Unencrypted Communication
Extensions that transmit data over HTTP instead of HTTPS put users at risk of eavesdropping and tampering. Only trust extensions that use encrypted channels for all network activity.

Look for Embedded Secrets
Hardcoded API keys, access tokens, or credentials within the extension code can be easily extracted and misused. A secure extension should never expose sensitive data in client-side code.

Review Permission Scope
Pay attention to what the extension is allowed to do. Broad permissions like access to tabs, clipboard, file system, or “all_urls” may indicate unnecessary or risky behavior.

Watch for Undisclosed Tracking or Telemetry
Some extensions quietly send user data to third-party domains without disclosure. This behavior can violate privacy expectations and even platform policies.

Assess Code Transparency and Obfuscation
While some minification is expected, excessively obfuscated or unreadable code may be used to hide malicious activity. Extensions with open-source or well-documented codebases tend to be safer.

Evaluate Update and Maintenance Activity
Stale extensions that haven’t been updated in months or years may contain unpatched vulnerabilities. Actively maintained projects are more likely to align with modern security practices.

Verify Source and Distribution Channel
Stick to extensions published on official stores like the Chrome Web Store. Avoid downloading from third-party sites unless you fully trust the publisher and can inspect the code.

Check for Third-Party Script Inclusion
Extensions that load external scripts at runtime can introduce supply chain risks. Favor those that bundle their dependencies and avoid dynamic code loading from unknown domains.

Analyze Network Behavior in Context
Even when using HTTPS, unusual patterns like excessive background communication with analytics platforms can be a sign of excessive data collection or misuse.

Correlate Functionality with Behavior
Make sure the extension’s actions match its stated purpose. Any unexpected access or background behavior that isn't clearly tied to its core function should raise concern.

With Quilr, you don’t need to guess who’s running what. You see it. You understand it. And you can act on it.

AUTHOR
Mohamed Osman

Mohamed Osman is a seasoned Field CTO with over 20 years of experience in cybersecurity, specializing in SIEM, SOAR, UBA, insider threats, and human risk management. A recognized innovator, he has led the development of award-winning security tools that improve threat detection and streamline operations. Mohamed’s deep expertise in insider threat mitigation has helped organizations strengthen their defenses by identifying and addressing internal risks early. His work has earned him honors like the Splunk Innovation Award and recognition for launching the Zain Security Operations Center. With a strategic mindset and hands-on leadership, Mohamed Osman continues to shape the future of cybersecurity—empowering enterprises to stay ahead of evolving threats.