Cybersecurity researchers have found that several popular Chrome extensions, including SEMRush Rank, Browsec VPN, and DualSafe Password Manager, transmit sensitive data over unencrypted HTTP, exposing users to privacy risks and adversary-in-the-middle (AitM) attacks. Extensions like Online Security & Privacy and Equatio also embed hard-coded API keys and secrets, potentially allowing attackers to exploit these for malicious purposes, such as manipulating telemetry data, hosting illegal content, or inflating usage costs. Developers are urged to adopt HTTPS, store secrets securely, and rotate them regularly, while users should consider uninstalling affected extensions until these issues are fixed. The findings highlight how even well-known extensions can suffer from poor security practices.

‍