Extension Details
Context-Aware Verdict
The extension is developed by The Listening App Inc., which appears to be a legitimate company based on the professional domain names in the CSP. However, with only 2,000 users and 21 ratings, it has a relatively small user base. The 3.9-star rating suggests mixed user experiences. The extension connects to multiple legitimate services including Google APIs and AWS S3 buckets for text-to-speech functionality, indicating a genuine audio/reading service.
The combination of broad content script injection across all websites (*://*/*) with tabs permission creates significant privacy and security risks. The extension can access and potentially modify content on every website you visit, read sensitive information like passwords or personal data, and manipulate browser tabs. While the storage and activeTab permissions are reasonable for a listening/audio service, the tabs permission seems excessive unless the extension needs to manage multiple tabs for its functionality. The contextMenus permission, while medium-risk, adds another attack vector.
Given the high-risk permissions and broad website access, consider running this extension in a separate Chrome profile dedicated to non-sensitive browsing. Avoid using it while accessing banking, email, or other sensitive websites. Monitor the extension's behavior and disable it when not actively needed. Consider whether the functionality truly requires such extensive permissions, and look for alternative text-to-speech extensions with more limited permissions if available.
Findings
Security Analysis Details
Required Permissions:
- storage
- activeTab
- offscreen
- contextMenus
- tabs
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'self'; connect-src 'self' https://apis.google.com https://www.gstatic.com https://www.googleapis.com https://securetoken.googleapis.com https://prod.listening.io https://www.listening.com https://listening-development-tts-cache.s3.amazonaws.com https://listening-staging-tts-cache.s3.amazonaws.com https://listening-production-tts-cache.s3.amazonaws.com;
Embedded URLs (30 total):
| https://json-schema.org/draft/2020-12/schema | http://json-schema.org/draft-07/schema# | |
| http://json-schema.org/draft-04/schema# | https://prod.listening.io | |
| https://www.listening.com | https://clients2.google.com/service/update2/crx | |
| https://apis.google.com | https://www.gstatic.com | |
| https://www.googleapis.com | https://securetoken.googleapis.com | |
| https://listening-development-tts-cache.s3.amazonaws.com | https://listening-staging-tts-cache.s3.amazonaws.com | |
| https://listening-production-tts-cache.s3.amazonaws.com | https://d3e54v103j8qbb.cloudfront.net/static/youtube-placeholder.2b05e7d68d.svg | |
| https://chromewebstore.google.com/detail/listeningcom/amjjglmomeodglgclcnjdjbhhcfnbnpd | https://react.dev/errors/ | |
| http://www.w3.org/2000/svg | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xlink | http://www.w3.org/XML/1998/namespace | |
| https://firebase.google.com/docs/studio/preview-apps#preview-backend | https://listening.com/app | |
| https://apis.google.com/js/api.js | https://www.google.com/recaptcha/api.js | |
| https://www.google.com/recaptcha/enterprise.js?render= | https://listening.com/password-reset | |
| http://fb.me/use-check-prop-types | https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types | |
| https://developer.mozilla.org/en-US/docs/Web/API/File_System_Access_API | https://html.spec.whatwg.org/multipage/custom-elements.html#valid-custom-element-name |
Raw Manifest
{ "name": "Listening.com", "icons": { "16": "icon-16.png", "32": "icon-32.png", "48": "icon-48.png", "96": "icon-96.png", "128": "icon-128.png" }, "action": { "default_popup": "popup.html", "default_title": "Listening.com" }, "version": "1.1.16", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Save time by listening to papers anywhere.", "permissions": [ "storage", "activeTab", "offscreen", "contextMenus", "tabs" ], "content_scripts": [ { "js": [ "content-scripts/content.js" ], "matches": [ "*://*/*" ] } ], "manifest_version": 3, "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'; connect-src 'self' https://apis.google.com https://www.gstatic.com https://www.googleapis.com https://securetoken.googleapis.com https://prod.listening.io https://www.listening.com https://listening-development-tts-cache.s3.amazonaws.com https://listening-staging-tts-cache.s3.amazonaws.com https://listening-production-tts-cache.s3.amazonaws.com;" }, "web_accessible_resources": [ { "matches": [ "*://*/*" ], "resources": [ "imgs/**/*" ] }, { "matches": [ "*://*/*" ], "resources": [ "content-scripts/content.css" ], "use_dynamic_url": true } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.