Recent discoveries have shown that many widely used Chrome extensions—including Everway’s Antidote Connector—pose serious security risks. All of these extensions run on InboxSDK. In almost all cases, they cluelessly leak sensitive user data over unencrypted HTTP, creating a huge risk to the safety of user information.
The Antidote Connector is one of over 90 extensions that use InboxSDK, which is a very popular software development kit. The ramifications of this vulnerability go beyond Everway, as any other extension built with the same SDK are just as susceptible. In an internal equity assessment, Everway pinpointed this risk. They recorded it in their ISO27001 risk register and ticked it as “accepted” due to its narrow scope.
Ryan Graham, the chief technology officer at Everway, acknowledged the situation and stated, “This risk was logged in our ISO27001 risk-register at the time of development, and marked as ‘accepted’ given the limited scope.” According to experts, sometimes it only takes a small misconfiguration to expose massive amounts of sensitive data. Yuanjing Guo noted, “From GA4 analytics secrets to Azure speech keys, and from AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can jeopardize an entire service.”
The risk is especially alarming considering that some popular extensions may have been sending sensitive information back home without users’ explicit consent. In response, Symantec has advised users of these extensions to remove them now, until developers correct the insecure HTTP calls.
“Users of these extensions should consider removing them until the developers address the insecure [HTTP] calls,” – Symantec
Equatio, another developer affected by this travesty, summed it up best. They agreed that while this Azure API key was indeed limited in scope and had a low usage cap per month, its exposure still poses significant risks. In particular, they assured that this key only impacts the developer and only for limited transactional purposes.
Even with these reassurances, industry experts warn that extensions should come under additional scrutiny. Yuanjing Guo remarked, “Extensions should be scrutinized for the protocols they use and the data they share, to ensure users’ information remains truly safe.” He warned organizations not to store any sensitive credentials on the client side. Security mistakes such as hard-coded credentials can expose sensitive data and perpetuate harm.
The overarching lesson from this incident is clear: a large install base or a well-known brand does not guarantee adherence to best practices concerning encryption and user data protection.