Security Flaws In Chrome Extensions: The Hidden Dangers Of Hardcoded Credentials
Symantec, Thursday, June 5th, 2025
API keys, secrets, and tokens commonly left exposed in browser extensions' code.
Hardcoded credentials-API keys, secrets, or tokens located directly in a browser extension's JavaScript-rank among the most significant security oversights in modern development. Once published, these secrets are exposed to anyone who cares to look; an attacker needs only inspect the extension package to extract them.
From there, the attacker can craft malicious requests-ranging from spamming analytics with bogus events to commandeering paid cloud services, incurring fees, and undermining user privacy. In this blog, we will examine individual examples drawn from popular Chrome extensions, noting the specific code snippets that reveal each secret and explaining the associated risks.