[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

dark reader - dark mode for Chrome

Version 1.0.7 View in Chrome Web Store

Last scanned: about 23 hours ago

Extension Details

Developer: https://darkreader.net/

Rating: 4.6 ★ (226 ratings)

Users: 60,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors: The extension has a decent user base of 60,000 users and a solid 4.6-star rating from 226 reviews, indicating general user satisfaction. The developer website (darkreader.net) suggests association with the legitimate Dark Reader project, which is a well-known dark mode extension. However, the relatively low download count compared to the official Dark Reader extension (which has millions of users) raises some questions about authenticity.

Concerns: The extension requests extremely broad permissions that are typical for dark mode extensions but create significant security exposure. The combination of tabs permission, universal host permissions, and content script injection across all websites creates a powerful surveillance and data theft capability. While these permissions are technically necessary for a dark mode extension to function across all websites, they also enable the extension to read all web page content, access sensitive data like passwords and personal information, monitor browsing habits, and potentially modify website behavior maliciously.

Recommendations: Given the high-risk permission set, consider using the official Dark Reader extension instead, which has a much larger user base and established reputation. If you choose to use this extension, install it in a separate Chrome profile dedicated to non-sensitive browsing activities. Avoid using it while accessing banking, email, or other sensitive websites. Monitor your browsing behavior for any unusual activity and be prepared to remove the extension if you notice suspicious behavior.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

storage
tabs

Host Permissions:

<all_urls>

Embedded URLs (113 total):

http://www.w3.org/2000/svg	http://www.w3.org/1999/xlink
https://github.com/Pixabay/jQuery-tagEditor	http://code.accursoft.com/caret
http://www.w3.org/1998/Math/MathML	https://chrome.google.com
https://darkreader.net/contact.html	https://darkreader.net/how-it-works.html
http://feross.org	https://feross.org/opensource
https://addons.mozilla.org/	https://chrome.google.com/webstore
https://microsoftedge.microsoft.com/addons	https://google.com/
https://www.gstatic.com/images/branding/googlelogo	https://www.hcaptcha.com/
https://images.squarespace-cdn.com	https://allmacworld.com/blocs-free-download/
https://allmacworld.com/waves-v11-complete-download-free/	https://allmacworld.com/3dequalizer-4-for-mac-free-download/
https://allmacworld.com/sylenth1-for-mac-free-download/	https://allmacworld.com/synapse-audio-legend-free-download/
https://github.githubassets.com/favicon.ico	https://latexmath.bolo-app.com/render/
https://www.bankier.pl/	https://cdn.blahdns.com/logo.png
https://cdn.blahdns.com/kofi4.png	https://www.mozilla.org/
https://donate.mozilla.org/	https://s3.castbox.fm/webstatic/images/userIcon.06c408dc.png
https://cppm3144.itdhosting.de/niku/ui/uitk/images/odf.png	https://dej.rae.es
https://duckduckgo.com/assets/icons/thirdparty/wikipedia.svg	https://duckduckgo.com/assets/logo_homepage.alt.v108.svg
https://duckduckgo.com/assets/logo_header.alt.v108.svg	https://imgv3.fotor.com/images/background/background-image.png
https://github.com	https://github.blog/wp-content/uploads/2019/03/BlogHeaders_Aligned_CHANGELOG
https://i0.wp.com/user-images.githubusercontent.com/	https://i1.wp.com/user-images.githubusercontent.com/
https://i2.wp.com/user-images.githubusercontent.com/	https://github.githubassets.com/images/modules/site/icons/footer/github-logo.svg
https://github.githubassets.com/images/modules/site/home/community-sponsor-	https://github.githubassets.com/images/modules/site/home/community-readme-
https://github.githubassets.com/images/modules/site/home/community-discussions-	https://github.githubassets.com/images/modules/site/home/dependabot-merge.png
https://github.githubassets.com/images/modules/site/home/dependabot-pr.png	https://github.githubassets.com/images/modules/site/home/gh-desktop.png
https://github.githubassets.com/images/modules/site/home/pr-merge.png	https://github.githubassets.com/images/modules/site/home/pr-comment.png
https://github.githubassets.com/images/modules/site/home/pr-description.png	https://github.githubassets.com/images/modules/site/home/pr-screen.png
https://github.githubassets.com/images/modules/site/home/enterprise-city-w-logos.jpg	https://github.githubassets.com/images/modules/site/codespaces/codespaces-icon.png
https://github.githubassets.com/images/modules/site/codespaces/dependency-rust.png	https://github.githubassets.com/images/modules/site/codespaces/dependency-3.png
https://github.githubassets.com/images/modules/site/codespaces/dependencies-	https://github.githubassets.com/images/modules/site/codespaces/commit-3.png
https://github.githubassets.com/images/modules/site/codespaces/extensions-1.png	https://github.githubassets.com/images/modules/site/codespaces/extensions-2.png
https://github.githubassets.com/images/modules/site/codespaces/commit-workflow.png	https://github.githubassets.com/images/modules/site/codespaces/workflow-view.png
https://github.githubassets.com/images/modules/site/codespaces/code.png	https://github.githubassets.com/images/email/explore/explore-gradient-icon.png
https://raw.githubusercontent.com/github/explore/80688e429a7d4ef2fca1e82350fe8e3517d3494d/collections/learn-to-code/learn-to-code.png	https://apps.apple.com/app/
https://hypothes.is	https://www.jpl.nasa.gov/assets/images/logo_nasa_trio_white@2x.png
https://postlight.com/	https://www.minecraftskins.com/bundles/app/images/mask.png
https://bi.im-g.pl/im/0/24525/m24525630.png	https://staticz.novelgames.com/style/default/common_e.5.png
https://staticz.novelgames.com/style/default/common.8.png	https://docs.google.com
https://forms.gle	https://pch24.pl
https://www.gstatic.com/android/market_images/web/play_prism_hlock_2x.png	http://www.emcdda.europa.eu/about
http://www.scp-wiki.net/local--files/component:theme/body_bg.png	https://static.senscritique.com/img/layout/icons/chevrons/chevron-size3.png?201710121789416

Page 1 of 2

Raw Manifest

{
  "name": "__MSG_name__",
  "icons": {
    "32": "assets/static/32.png",
    "64": "assets/static/64.png",
    "128": "assets/static/128.png"
  },
  "action": {
    "default_title": "__MSG_title__"
  },
  "version": "1.0.7",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_desc__",
  "permissions": [
    "storage",
    "tabs"
  ],
  "options_page": "./options.html",
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "control-panel.js",
        "dark-mode-content.js"
      ],
      "css": [
        "assets/style-injector.css"
      ],
      "run_at": "document_start",
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "static/*",
        "assets/*.svg",
        "assets/*.png",
        "assets/*.css",
        "assets/*.otf"
      ]
    }
  ]
}

by ✦ Astarte

dark reader - dark mode for Chrome

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (113 total):

Raw Manifest

Detections

Manifest Findings