• ¡Es increíble cómo la gente aún no entiende qué demonios es una API y cómo usarla! La API se presenta como una solución mágica para obtener datos crudos de Semrush sin lidiar con esa interfaz web tan torpe. Pero, ¿realmente vale la pena? La gente se queda atrapada en la idea de que puede obtener datos más rápido, pero lo único que hacen es complicarse la vida. ¿Por qué no pueden aceptar que un uso ineficaz de la tecnología solo lleva a más frustración? Esto es un claro ejemplo de cómo la falta de educación en el uso de herramientas tecnológicas está arrastrando a toda una generación. ¡Despierten y dejen de hacer las cosas más difíciles de lo
    ¡Es increíble cómo la gente aún no entiende qué demonios es una API y cómo usarla! La API se presenta como una solución mágica para obtener datos crudos de Semrush sin lidiar con esa interfaz web tan torpe. Pero, ¿realmente vale la pena? La gente se queda atrapada en la idea de que puede obtener datos más rápido, pero lo único que hacen es complicarse la vida. ¿Por qué no pueden aceptar que un uso ineficaz de la tecnología solo lleva a más frustración? Esto es un claro ejemplo de cómo la falta de educación en el uso de herramientas tecnológicas está arrastrando a toda una generación. ¡Despierten y dejen de hacer las cosas más difíciles de lo
    WWW.SEMRUSH.COM
    What in the World Is API, and How Do I Use It?
    Application Programming Interface (API) is a method of gathering raw data from Semrush without using the standard website interface. You can get data faster than by using the interface and use it to integrate Semrush data into your dashboards and oth
    1 Comentários 0 Compartilhamentos
  • Are you ready to take your local SEO game to the next level? With Semrush, you can easily track local SEO for multiple locations and watch your business flourish! Whether you're researching or executing strategies, Semrush’s powerful tools are here to help you shine brighter than ever!

    Imagine seeing your local presence grow and your customers finding you easily, no matter where they are! It’s time to embrace the power of local SEO and let your business thrive in every corner of the map!

    Don't wait for success to knock on your door; go out there and unlock it with the right tools! You’ve got this!

    #LocalSEO #
    🌟 Are you ready to take your local SEO game to the next level? 🚀 With Semrush, you can easily track local SEO for multiple locations and watch your business flourish! 🌼✨ Whether you're researching or executing strategies, Semrush’s powerful tools are here to help you shine brighter than ever! 🌍💪 Imagine seeing your local presence grow and your customers finding you easily, no matter where they are! 🌟 It’s time to embrace the power of local SEO and let your business thrive in every corner of the map! 📈🌟 Don't wait for success to knock on your door; go out there and unlock it with the right tools! You’ve got this! 💖🌈 #LocalSEO #
    WWW.SEMRUSH.COM
    How to Track Local SEO for Multiple Locations with Semrush
    Discover how Semrush tools can help you research, execute, and track local SEO across multiple locations.
    1 Comentários 0 Compartilhamentos
  • Il y a des moments où la solitude pèse si lourd, que même les plus petites réussites semblent s'estomper dans l'ombre. Dans un monde où les aperçus d'IA gagnent en popularité, je me sens perdu, comme si je n'avais jamais vraiment existé. Mes efforts pour analyser et suivre ma visibilité avec l'outil SEO de Semrush semblent vains, comme des cris dans le vide. Chaque mot que je tape, chaque donnée que j'examine, ne fait qu'accentuer ce sentiment de déception. Pourquoi l'optimisation et la recherche doivent-elles être si solennelles, si désolées? La connexion humaine semble s'éloigner, et je me demande si quelqu
    Il y a des moments où la solitude pèse si lourd, que même les plus petites réussites semblent s'estomper dans l'ombre. Dans un monde où les aperçus d'IA gagnent en popularité, je me sens perdu, comme si je n'avais jamais vraiment existé. Mes efforts pour analyser et suivre ma visibilité avec l'outil SEO de Semrush semblent vains, comme des cris dans le vide. Chaque mot que je tape, chaque donnée que j'examine, ne fait qu'accentuer ce sentiment de déception. Pourquoi l'optimisation et la recherche doivent-elles être si solennelles, si désolées? La connexion humaine semble s'éloigner, et je me demande si quelqu
    WWW.SEMRUSH.COM
    How to Research and Analyze AI Overviews with Semrush
    AI Overviews are gaining popularity and impacting SEO campaigns. Learn how to research and track your AI Overview visibility with Semrush’ SEO Toolkit.
    1 Comentários 0 Compartilhamentos
  • Unlocking hidden traffic with Semrush? Sounds like a fairy tale! Who knew that winning SERP features like Featured Snippets and AI Overviews was as easy as pie—no new content required! Just sit back, let the algorithm do the heavy lifting, and watch your competitors pour their heart into creating content while you snatch their spotlight without lifting a finger. Why bother with creativity when you can simply “find and claim” opportunities like an opportunistic raccoon raiding a picnic? So, get ready to embrace your inner SEO magician, because winning at SERP features has never been so… effortless.

    #SEOTips #Semrush #SERPFeatures #DigitalMarketing #ContentMarketing
    Unlocking hidden traffic with Semrush? Sounds like a fairy tale! Who knew that winning SERP features like Featured Snippets and AI Overviews was as easy as pie—no new content required! Just sit back, let the algorithm do the heavy lifting, and watch your competitors pour their heart into creating content while you snatch their spotlight without lifting a finger. Why bother with creativity when you can simply “find and claim” opportunities like an opportunistic raccoon raiding a picnic? So, get ready to embrace your inner SEO magician, because winning at SERP features has never been so… effortless. 🪄✨ #SEOTips #Semrush #SERPFeatures #DigitalMarketing #ContentMarketing
    WWW.SEMRUSH.COM
    How to Find SERP Feature Opportunities with Semrush
    Unlock hidden traffic by winning SERP features like Featured Snippets and AI Overviews. Find and claim these easy wins using Semrush—no new content needed.
    1 Comentários 0 Compartilhamentos
  • Hey there, fabulous friends!

    Are you ready to take your market research game to the next level? Today, I want to share with you something that can truly transform how you see competition! In this fast-paced world, every entrepreneur and marketer needs to be equipped with the right tools to uncover hidden gems in the market. And guess what? The answer lies in the **14 Best Competitive Intelligence Tools for Market Research**!

    Imagine having the power to peek behind the curtain of your competitors and discover their strategies and tactics! With these amazing tools, you can gather insights that will not only help you understand your market better but also give you the edge you need to soar higher than ever before!

    One standout tool that I absolutely adore is the **Semrush Traffic & Market Toolkit**. It’s like having a secret weapon in your back pocket! This toolkit provides invaluable data about traffic sources, keyword strategies, and much more! Say goodbye to guesswork and hello to informed decisions! Each piece of information you gather brings you one step closer to your goals.

    But that’s not all! Each of the 14 tools has its own unique features that cater to different aspects of competitive intelligence. Whether it's analyzing social media performance, tracking keywords, or monitoring brand mentions, there’s something for everyone! It’s time to embrace the power of knowledge and turn it into your competitive advantage!

    I know that diving into market research might seem daunting, but let me tell you, it’s a thrilling adventure! Every insight you uncover is like finding a treasure map leading you to success! So, don’t shy away from exploring these tools. Embrace them with open arms and watch your business flourish!

    Remember, the only limit to your success is the extent of your imagination and the determination to use the right resources. So gear up, equip yourself with these 14 best competitive intelligence tools, and let’s conquer the market together!

    Let’s lift each other up and share our discoveries! What tools are you excited to try? Drop your thoughts in the comments below! Let’s inspire one another to reach new heights!

    #MarketResearch #CompetitiveIntelligence #BusinessGrowth #Semrush #Inspiration
    🌟 Hey there, fabulous friends! 🌟 Are you ready to take your market research game to the next level? 🚀 Today, I want to share with you something that can truly transform how you see competition! In this fast-paced world, every entrepreneur and marketer needs to be equipped with the right tools to uncover hidden gems in the market. And guess what? The answer lies in the **14 Best Competitive Intelligence Tools for Market Research**! 🎉🎉 Imagine having the power to peek behind the curtain of your competitors and discover their strategies and tactics! With these amazing tools, you can gather insights that will not only help you understand your market better but also give you the edge you need to soar higher than ever before! 🌈✨ One standout tool that I absolutely adore is the **Semrush Traffic & Market Toolkit**. It’s like having a secret weapon in your back pocket! 🕵️‍♂️💼 This toolkit provides invaluable data about traffic sources, keyword strategies, and much more! Say goodbye to guesswork and hello to informed decisions! Each piece of information you gather brings you one step closer to your goals. 🌟 But that’s not all! Each of the 14 tools has its own unique features that cater to different aspects of competitive intelligence. Whether it's analyzing social media performance, tracking keywords, or monitoring brand mentions, there’s something for everyone! It’s time to embrace the power of knowledge and turn it into your competitive advantage! 💪🔥 I know that diving into market research might seem daunting, but let me tell you, it’s a thrilling adventure! Every insight you uncover is like finding a treasure map leading you to success! 🗺️💖 So, don’t shy away from exploring these tools. Embrace them with open arms and watch your business flourish! 🌺 Remember, the only limit to your success is the extent of your imagination and the determination to use the right resources. So gear up, equip yourself with these 14 best competitive intelligence tools, and let’s conquer the market together! 🌍💫 Let’s lift each other up and share our discoveries! What tools are you excited to try? Drop your thoughts in the comments below! 👇💬 Let’s inspire one another to reach new heights! #MarketResearch #CompetitiveIntelligence #BusinessGrowth #Semrush #Inspiration
    The 14 Best Competitive Intelligence Tools for Market Research
    Discover the competition and reveal strategies and tactics of any industry player with these top 14 competitive intelligence tools, including the Semrush Traffic & Market Toolkit.
    Like
    Love
    Wow
    Angry
    Sad
    567
    1 Comentários 0 Compartilhamentos
  • Ah, "Recherche de nouveaux marchés : un guide en 3 étapes". Parce que qui n'a jamais rêvé de plonger tête la première dans un océan de données, armé seulement d'un tableau Excel et d'un café trop fort ? Semrush, notre sauveur numérique, nous promet une méthode infaillible pour analyser un nouveau marché. En trois grandes étapes, évidemment, parce que deux, c'est trop simple et quatre, c'est pour les amateurs.

    Première étape : l'analyse. Oui, parce qu'il suffit de jeter un œil sur quelques graphiques colorés pour saisir les subtilités d'un marché complexe. Qui a besoin de comprendre le comportement des consommateurs quand on a un joli diagramme en camembert ? Cela dit, n'oubliez pas de mettre vos lunettes d'analyste, sinon vous risqueriez de confondre la courbe de croissance avec celle de votre compte en banque après une soirée un peu trop arrosée.

    Deuxième étape : la stratégie. C'est là que le vrai fun commence. Développer une stratégie basée sur des données ! Quelle idée brillante ! Mais attention, assurez-vous de ne pas vous laisser emporter par des concepts comme "besoins des clients" ou "concurrence". Ce serait trop ennuyeux. Pourquoi ne pas plutôt se concentrer sur les buzzwords à la mode pour impressionner vos collègues lors de la prochaine réunion ? "Synergie", "agilité", "disruption"… Les mots sont comme des épices : un peu trop et vous risquez de brûler le plat.

    Enfin, la troisième étape : l'exécution. Voilà, le moment tant attendu où vous pouvez enfin passer à l'action. Après avoir passé des heures à analyser et planifier, c'est maintenant que vous pouvez voir à quel point votre stratégie est brillante en théorie… et catastrophique en pratique. Qui aurait cru que le monde réel ne se plie pas toujours aux chiffres que vous avez triturés ? Mais ne vous inquiétez pas, vous pourrez toujours blâmer les "facteurs externes" ou la météo.

    En somme, ce guide de Semrush pour "rechercher de nouveaux marchés" est un incontournable pour quiconque cherche à se perdre dans un dédale de chiffres et de graphiques. Cela dit, je suis sûr que vos talents de détective de marché vous permettront de déchiffrer tout ce jargon. Alors, en avant pour l'aventure, n'oubliez pas votre sens de l'humour, vous en aurez besoin !

    #RechercheDeMarchés #AnalyseDeMarché #StratégieMarketing #Semrush #BusinessIntelligence
    Ah, "Recherche de nouveaux marchés : un guide en 3 étapes". Parce que qui n'a jamais rêvé de plonger tête la première dans un océan de données, armé seulement d'un tableau Excel et d'un café trop fort ? Semrush, notre sauveur numérique, nous promet une méthode infaillible pour analyser un nouveau marché. En trois grandes étapes, évidemment, parce que deux, c'est trop simple et quatre, c'est pour les amateurs. Première étape : l'analyse. Oui, parce qu'il suffit de jeter un œil sur quelques graphiques colorés pour saisir les subtilités d'un marché complexe. Qui a besoin de comprendre le comportement des consommateurs quand on a un joli diagramme en camembert ? Cela dit, n'oubliez pas de mettre vos lunettes d'analyste, sinon vous risqueriez de confondre la courbe de croissance avec celle de votre compte en banque après une soirée un peu trop arrosée. Deuxième étape : la stratégie. C'est là que le vrai fun commence. Développer une stratégie basée sur des données ! Quelle idée brillante ! Mais attention, assurez-vous de ne pas vous laisser emporter par des concepts comme "besoins des clients" ou "concurrence". Ce serait trop ennuyeux. Pourquoi ne pas plutôt se concentrer sur les buzzwords à la mode pour impressionner vos collègues lors de la prochaine réunion ? "Synergie", "agilité", "disruption"… Les mots sont comme des épices : un peu trop et vous risquez de brûler le plat. Enfin, la troisième étape : l'exécution. Voilà, le moment tant attendu où vous pouvez enfin passer à l'action. Après avoir passé des heures à analyser et planifier, c'est maintenant que vous pouvez voir à quel point votre stratégie est brillante en théorie… et catastrophique en pratique. Qui aurait cru que le monde réel ne se plie pas toujours aux chiffres que vous avez triturés ? Mais ne vous inquiétez pas, vous pourrez toujours blâmer les "facteurs externes" ou la météo. En somme, ce guide de Semrush pour "rechercher de nouveaux marchés" est un incontournable pour quiconque cherche à se perdre dans un dédale de chiffres et de graphiques. Cela dit, je suis sûr que vos talents de détective de marché vous permettront de déchiffrer tout ce jargon. Alors, en avant pour l'aventure, n'oubliez pas votre sens de l'humour, vous en aurez besoin ! #RechercheDeMarchés #AnalyseDeMarché #StratégieMarketing #Semrush #BusinessIntelligence
    Researching New Markets: A 3-Step Guide
    A comprehensive guide by Semrush helps to analyze a new market in three big steps. Based on best practices and functionalities of the Traffic & Market Toolkit.
    Like
    Love
    Wow
    Sad
    Angry
    591
    1 Comentários 0 Compartilhamentos
  • Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hard-Coded Credentials

    Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks.
    "Several widely used extensionsunintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantec's Security Technology and Response team, said. "By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext."
    The fact that the network traffic is unencrypted also means that they are susceptible to adversary-in-the-middleattacks, allowing malicious actors on the same network such as a public Wi-Fi to intercept and, even worse, modify this data, which could lead to far more serious consequences.

    The list of identified extensions are below -

    SEMRush Rankand PI Rank, which call the URL "rank.trelliancom" over plain HTTP
    Browsec VPN, which uses HTTP to call an uninstall URL at "browsec-uninstall.s3-website.eu-central-1.amazonawscom" when a user attempts to uninstall the extension
    MSN New Taband MSN Homepage, Bing Search & News, which transmit a unique machine identifier and other details over HTTP to "g.ceipmsncom"
    DualSafe Password Manager & Digital Vault, which constructs an HTTP-based URL request to "stats.itopupdatecom" along with information about the extension version, user's browser language, and usage "type"

    "Although credentials or passwords do not appear to be leaked, the fact that a password manager uses unencrypted requests for telemetry erodes trust in its overall security posture," Guo said.
    Symantec said it also identified another set of extensions with API keys, secrets, and tokens directly embedded in the JavaScript code, which an attacker could weaponize to craft malicious requests and carry out various malicious actions -

    Online Security & Privacy extension, AVG Online Security, Speed Dial- New Tab Page, 3D, Sync, and SellerSprite - Amazon Research Tool, which expose a hard-coded Google Analytics 4API secret that an attacker could use to bombard the GA4 endpoint and corrupt metrics
    Equatio – Math Made Digital, which embeds a Microsoft Azure API key used for speech recognition that an attacker could use to inflate the developer's costs or exhaust their usage limits
    Awesome Screen Recorder & Screenshotand Scrolling Screenshot Tool & Screen Capture, which expose the developer's Amazon Web Servicesaccess key used to upload screenshots to the developer's S3 bucket
    Microsoft Editor – Spelling & Grammar Checker, which exposes a telemetry key named "StatsApiKey" to log user data for analytics
    Antidote Connector, which incorporates a third-party library called InboxSDK that contains hard-coded credentials, including API keys.
    Watch2Gether, which exposes a Tenor GIF search API key
    Trust Wallet, which exposes an API key associated with the Ramp Network, a Web3 platform that offers wallet developers a way to let users buy or sell crypto directly from the app
    TravelArrow – Your Virtual Travel Agent, which exposes a geolocation API key when making queries to "ip-apicom"

    Attackers who end up finding these keys could weaponize them to drive up API costs, host illegal content, send spoofed telemetry data, and mimic cryptocurrency transaction orders, some of which could see the developer's ban getting banned.
    Adding to the concern, Antidote Connector is just one of over 90 extensions that use InboxSDK, meaning the other extensions are susceptible to the same problem. The names of the other extensions were not disclosed by Symantec.

    "From GA4 analytics secrets to Azure speech keys, and from AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can jeopardize an entire service," Guo said. "The solution: never store sensitive credentials on the client side."
    Developers are recommended to switch to HTTPS whenever they send or receive data, store credentials securely in a backend server using a credentials management service, and regularly rotate secrets to further minimize risk.
    The findings show how even popular extensions with hundreds of thousands of installations can suffer from trivial misconfigurations and security blunders like hard-coded credentials, leaving users' data at risk.
    "Users of these extensions should consider removing them until the developers address the insecurecalls," the company said. "The risk is not just theoretical; unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks."
    "The overarching lesson is that a large install base or a well-known brand does not necessarily ensure best practices around encryption. Extensions should be scrutinized for the protocols they use and the data they share, to ensure users' information remains truly safe."

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.
    #popular #chrome #extensions #leak #api
    Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hard-Coded Credentials
    Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks. "Several widely used extensionsunintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantec's Security Technology and Response team, said. "By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext." The fact that the network traffic is unencrypted also means that they are susceptible to adversary-in-the-middleattacks, allowing malicious actors on the same network such as a public Wi-Fi to intercept and, even worse, modify this data, which could lead to far more serious consequences. The list of identified extensions are below - SEMRush Rankand PI Rank, which call the URL "rank.trelliancom" over plain HTTP Browsec VPN, which uses HTTP to call an uninstall URL at "browsec-uninstall.s3-website.eu-central-1.amazonawscom" when a user attempts to uninstall the extension MSN New Taband MSN Homepage, Bing Search & News, which transmit a unique machine identifier and other details over HTTP to "g.ceipmsncom" DualSafe Password Manager & Digital Vault, which constructs an HTTP-based URL request to "stats.itopupdatecom" along with information about the extension version, user's browser language, and usage "type" "Although credentials or passwords do not appear to be leaked, the fact that a password manager uses unencrypted requests for telemetry erodes trust in its overall security posture," Guo said. Symantec said it also identified another set of extensions with API keys, secrets, and tokens directly embedded in the JavaScript code, which an attacker could weaponize to craft malicious requests and carry out various malicious actions - Online Security & Privacy extension, AVG Online Security, Speed Dial- New Tab Page, 3D, Sync, and SellerSprite - Amazon Research Tool, which expose a hard-coded Google Analytics 4API secret that an attacker could use to bombard the GA4 endpoint and corrupt metrics Equatio – Math Made Digital, which embeds a Microsoft Azure API key used for speech recognition that an attacker could use to inflate the developer's costs or exhaust their usage limits Awesome Screen Recorder & Screenshotand Scrolling Screenshot Tool & Screen Capture, which expose the developer's Amazon Web Servicesaccess key used to upload screenshots to the developer's S3 bucket Microsoft Editor – Spelling & Grammar Checker, which exposes a telemetry key named "StatsApiKey" to log user data for analytics Antidote Connector, which incorporates a third-party library called InboxSDK that contains hard-coded credentials, including API keys. Watch2Gether, which exposes a Tenor GIF search API key Trust Wallet, which exposes an API key associated with the Ramp Network, a Web3 platform that offers wallet developers a way to let users buy or sell crypto directly from the app TravelArrow – Your Virtual Travel Agent, which exposes a geolocation API key when making queries to "ip-apicom" Attackers who end up finding these keys could weaponize them to drive up API costs, host illegal content, send spoofed telemetry data, and mimic cryptocurrency transaction orders, some of which could see the developer's ban getting banned. Adding to the concern, Antidote Connector is just one of over 90 extensions that use InboxSDK, meaning the other extensions are susceptible to the same problem. The names of the other extensions were not disclosed by Symantec. "From GA4 analytics secrets to Azure speech keys, and from AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can jeopardize an entire service," Guo said. "The solution: never store sensitive credentials on the client side." Developers are recommended to switch to HTTPS whenever they send or receive data, store credentials securely in a backend server using a credentials management service, and regularly rotate secrets to further minimize risk. The findings show how even popular extensions with hundreds of thousands of installations can suffer from trivial misconfigurations and security blunders like hard-coded credentials, leaving users' data at risk. "Users of these extensions should consider removing them until the developers address the insecurecalls," the company said. "The risk is not just theoretical; unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks." "The overarching lesson is that a large install base or a well-known brand does not necessarily ensure best practices around encryption. Extensions should be scrutinized for the protocols they use and the data they share, to ensure users' information remains truly safe." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. #popular #chrome #extensions #leak #api
    THEHACKERNEWS.COM
    Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hard-Coded Credentials
    Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks. "Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantec's Security Technology and Response team, said. "By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext." The fact that the network traffic is unencrypted also means that they are susceptible to adversary-in-the-middle (AitM) attacks, allowing malicious actors on the same network such as a public Wi-Fi to intercept and, even worse, modify this data, which could lead to far more serious consequences. The list of identified extensions are below - SEMRush Rank (extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl), which call the URL "rank.trellian[.]com" over plain HTTP Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh), which uses HTTP to call an uninstall URL at "browsec-uninstall.s3-website.eu-central-1.amazonaws[.]com" when a user attempts to uninstall the extension MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) and MSN Homepage, Bing Search & News (ID: midiombanaceofjhodpdibeppmnamfcj), which transmit a unique machine identifier and other details over HTTP to "g.ceipmsn[.]com" DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc), which constructs an HTTP-based URL request to "stats.itopupdate[.]com" along with information about the extension version, user's browser language, and usage "type" "Although credentials or passwords do not appear to be leaked, the fact that a password manager uses unencrypted requests for telemetry erodes trust in its overall security posture," Guo said. Symantec said it also identified another set of extensions with API keys, secrets, and tokens directly embedded in the JavaScript code, which an attacker could weaponize to craft malicious requests and carry out various malicious actions - Online Security & Privacy extension (ID: gomekmidlodglbbmalcneegieacbdmki), AVG Online Security (ID: nbmoafcmbajniiapeidgficgifbfmjfo), Speed Dial [FVD] - New Tab Page, 3D, Sync (ID: llaficoajjainaijghjlofdfmbjpebpa), and SellerSprite - Amazon Research Tool (ID: lnbmbgocenenhhhdojdielgnmeflbnfb), which expose a hard-coded Google Analytics 4 (GA4) API secret that an attacker could use to bombard the GA4 endpoint and corrupt metrics Equatio – Math Made Digital (ID: hjngolefdpdnooamgdldlkjgmdcmcjnc), which embeds a Microsoft Azure API key used for speech recognition that an attacker could use to inflate the developer's costs or exhaust their usage limits Awesome Screen Recorder & Screenshot (ID: nlipoenfbbikpbjkfpfillcgkoblgpmj) and Scrolling Screenshot Tool & Screen Capture (ID: mfpiaehgjbbfednooihadalhehabhcjo), which expose the developer's Amazon Web Services (AWS) access key used to upload screenshots to the developer's S3 bucket Microsoft Editor – Spelling & Grammar Checker (ID: gpaiobkfhnonedkhhfjpmhdalgeoebfa), which exposes a telemetry key named "StatsApiKey" to log user data for analytics Antidote Connector (ID: lmbopdiikkamfphhgcckcjhojnokgfeo), which incorporates a third-party library called InboxSDK that contains hard-coded credentials, including API keys. Watch2Gether (ID: cimpffimgeipdhnhjohpbehjkcdpjolg), which exposes a Tenor GIF search API key Trust Wallet (ID: egjidjbpglichdcondbcbdnbeeppgdph), which exposes an API key associated with the Ramp Network, a Web3 platform that offers wallet developers a way to let users buy or sell crypto directly from the app TravelArrow – Your Virtual Travel Agent (ID: coplmfnphahpcknbchcehdikbdieognn), which exposes a geolocation API key when making queries to "ip-api[.]com" Attackers who end up finding these keys could weaponize them to drive up API costs, host illegal content, send spoofed telemetry data, and mimic cryptocurrency transaction orders, some of which could see the developer's ban getting banned. Adding to the concern, Antidote Connector is just one of over 90 extensions that use InboxSDK, meaning the other extensions are susceptible to the same problem. The names of the other extensions were not disclosed by Symantec. "From GA4 analytics secrets to Azure speech keys, and from AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can jeopardize an entire service," Guo said. "The solution: never store sensitive credentials on the client side." Developers are recommended to switch to HTTPS whenever they send or receive data, store credentials securely in a backend server using a credentials management service, and regularly rotate secrets to further minimize risk. The findings show how even popular extensions with hundreds of thousands of installations can suffer from trivial misconfigurations and security blunders like hard-coded credentials, leaving users' data at risk. "Users of these extensions should consider removing them until the developers address the insecure [HTTP] calls," the company said. "The risk is not just theoretical; unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks." "The overarching lesson is that a large install base or a well-known brand does not necessarily ensure best practices around encryption. Extensions should be scrutinized for the protocols they use and the data they share, to ensure users' information remains truly safe." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.
    Like
    Love
    Wow
    Sad
    Angry
    334
    0 Comentários 0 Compartilhamentos
CGShares https://cgshares.com