This function eventually causes the extension to make a call to stats.itopupdate.com over plain HTTP. The data includes the extension version, user’s browser language, and usage “type,” among other metrics. Although credentials or passwords do not appear to be leaked, the fact that a password manager uses unencrypted requests for telemetry erodes trust in its overall security posture. Network eavesdroppers or malicious access points can examine these calls to see how the extension is being used and possibly track the user’s environment. DualSafe has since addressed the problem in its latest release, switching the telemetry endpoint to HTTPS and encrypting all transmitted data.
Conclusion
All of the previously mentioned extensions make HTTP requests that expose user data in plaintext. While none of them appear to leak direct passwords, the variety of information that does leak includes browsing domains, unique machine IDs, OS details, usage metrics, and even final uninstall parameters. Unencrypted traffic is trivially accessible to anyone performing a Man-in-the-Middle attack, allowing them not only to collect but also to potentially manipulate this data in flight. That data can be combined or correlated by any party who can intercept the connection, including malicious hotspots, internet service providers, and other eavesdroppers.
Users of these extensions should consider removing them until the developers address the insecure calls. The risk is not just theoretical; unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks. Developers, for their part, should switch to HTTPS whenever they send or receive data, especially if the purpose of their extension is to protect user privacy or provide security-related features. The overarching lesson is that a large install base or a well-known brand does not necessarily ensure best practices around encryption. Extensions should be scrutinized for the protocols they use and the data they share, to ensure users’ information remains truly safe.
All of the developers whose extensions were discussed in this blog have been notified about the issues we uncovered.
Protection/Mitigation
For the latest protection updates, please visit the Symantec Protection Bulletin.
Symantec recommends users follow these best practices to stay protected from browser extension threats:
- Install a suitable security app, such as Symantec Endpoint Protection, to protect your device and data
- Refrain from downloading extensions from unfamiliar sites and only install extensions from trusted sources
- Pay close attention to the permissions that extensions request
- Make frequent backups of important data