Starting analysis...
Web Signer for Barclays
Version 2.2.1.12 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has 100,000 users, indicating legitimate use within Barclays' ecosystem. However, the extremely low rating of 1.6 out of 5 stars from only 5 reviews raises significant concerns about user satisfaction and potential functionality issues. The lack of visible developer information and last update date makes it difficult to assess ongoing maintenance and support.
The extension requests highly privileged permissions that create substantial security risks. The tabs permission combined with <all_urls> host access allows comprehensive monitoring of all browsing activity. The nativeMessaging permission enables communication with local applications, potentially creating attack vectors beyond the browser. The system.display permission appears unnecessary for a web signing tool. While the content scripts are appropriately scoped to banking and financial domains, the broad host permissions extend far beyond these legitimate targets.
The poor user rating suggests potential reliability or security issues that users have encountered. The combination of powerful permissions with limited transparency about the developer creates additional risk.
Given the high-risk nature but legitimate banking use case, run this extension in a dedicated Chrome profile used exclusively for Barclays banking activities. Avoid using this profile for general browsing. Regularly review the extension's behavior and consider removing it if not actively needed. Contact Barclays IT support to verify this is the official recommended extension and inquire about security best practices for its use.
Security Analysis
Security Analysis Details
Required Permissions:
- tabs
- nativeMessaging
- storage
- unlimitedStorage
- system.display
Host Permissions:
- <all_urls>
Embedded URLs (53 total):
| http://purl.org/dc/elements/1.1/ | http://creativecommons.org/ns# | |
| http://www.w3.org/1999/02/22-rdf-syntax-ns# | http://www.w3.org/2000/svg | |
| http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd | http://www.inkscape.org/namespaces/inkscape | |
| http://purl.org/dc/dcmitype/StillImage | http://www.inkscape.org/ | |
| https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/getZoom | https://stackoverflow.com/questions/5010288/how-to-make-a-function-wait-until-a-callback-has-been-called-using-node-js | |
| https://software.barclayscorporate.com/check-version | https://stackoverflow.com/questions/7837456/how-to-compare-arrays-in-javascript | |
| http://crouton.net | http://bl00.net | |
| https://github.com/enepomnyaschih/byte-base64 | http://w3c.github.io/webcomponents/spec/custom/#creating-and-passing-registries | |
| http://www.w3.org/1998/Math/MathML | http://www.w3.org/1999/xhtml | |
| https://www.w3.org/TR/xhtml1/normative.html#strict | https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data- | |
| https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible | http://www.w3.org/TR/xml/#d0e804 | |
| https://github.com/sindresorhus/validate-element-name | https://github.com/cburgmer/rasterizeHTML.js | |
| http://www.github.com/cburgmer/rasterizeHTML.js | https://github.com/cburgmer/rasterizeHTML.js/issues/158 | |
| https://code.google.com/p/chromium/issues/detail?id=294129 | http://www.w3.org/TR/SVG/struct.html#ExternalResourcesRequired | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=925493 | http://pegjs.org/ | |
| https://github.com/cburgmer/inlineresources/issues/3 | https://bugzilla.mozilla.org/show_bug.cgi?id=443978 | |
| http://www.w3.org/1999/xlink | http://stackoverflow.com/questions/9246382/escaping-script-tag-inside-javascript | |
| https://mths.be/punycode | https://mathiasbynens.be/notes/javascript-encoding | |
| http://tools.ietf.org/html/rfc3492#section-3.4 | https://github.com/joyent/node/issues/1707 | |
| http://www.mozilla.org/newlayout/xml/parsererror.xml | https://code.google.com/p/chromium/issues/detail?id=25916 | |
| http://foo.com | http://www.example.com | |
| http://www.w3.org/TR/xml/#NT-Char | https://clients2.google.com/service/update2/crx | |
| https://europe.tradeonlineservices.com/ | https://www.directdebitnetwork.com/ | |
| https://apsportal.co.uk/ | https://developer.mozilla.org/en-US/docs/Learn_web_development/Howto/Web_mechanics/What_is_a_URL | |
| http://biloxi.com/some/path/with/bob.html | http://atlanta.com/path/to/different/alice.html | |
| http://biloxi.com/another/path/somewhere/else/otherfile.html | http://biloxi.com/some/path/with/../relative/to/the/original/yetanotherfile.html | |
| http://biloxi.com/some/path/relative/to/the/original/yetanotherfile.html |
Raw Manifest
{ "name": "Web Signer for Barclays", "icons": { "16": "barclays/assets/img/logo16.png", "48": "barclays/assets/img/logo48.png", "128": "barclays/assets/img/logo128.png" }, "version": "2.2.1.12", "background": { "service_worker": "background.js" }, "options_ui": { "page": "diagTools/diagTools.html", "browser_style": false }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "© Thales Group 2025", "permissions": [ "tabs", "nativeMessaging", "storage", "unlimitedStorage", "system.display" ], "content_scripts": [ { "js": [ "first.js", "externalLibraries/base64.js", "externalLibraries/jquery.js", "externalLibraries/rasterizeHTML.js", "externalLibraries/DOMPurify.js", "app_settings.js", "barclays/custom.js", "modals.js", "utility.js", "multiPageCtrl.js", "certificateTable.js", "customScrollbars.js", "verificationResults.js", "asn1.js", "renderer.js", "version.js", "logger.js", "content.js" ], "css": [ "assets/css/main.css", "barclays/assets/css/barclays.css" ], "run_at": "document_end", "matches": [ "https://europe.tradeonlineservices.com/*", "https://*.barclays.com/*", "https://*.barclays.net/*", "https://*.barclays.intranet/*", "https://*.barclays.co.uk/*", "https://*.barclayswealth.com/*", "https://*.barclayscorp.com/*", "https://*.barcapint.com/*", "https://*.bmap.barclays/*", "https://*.barclays-sepadirect.com/*", "https://*.cashfaccloud.co.uk/*", "https://*.bacs.co.uk/*", "https://*.voca.com/*", "https://*.voca.co.uk/*", "https://*.identrust.com/*", "https://*.paygateservice.com/*", "https://*.iconnect.aptbacs.co.uk/*", "https://*.interbacs.com/*", "https://*.interpayweb.co.uk/*", "https://*.mosaicsoftware.co.uk/*", "https://*.accountis.net/*", "https://*.accountis.lan/*", "https://www.directdebitnetwork.com/*", "https://apsportal.co.uk/*" ], "all_frames": true } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "barclays/templates/*", "barclays/assets/*", "assets/*" ] } ] }