[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

myViewBoard extension

Version 2.27.2 View in Chrome Web Store

Last scanned: about 6 hours ago

Extension Details

Developer: myviewboard.com

Rating: 4.2 ★ (5 ratings)

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension comes from myviewboard.com, which appears to be a legitimate educational technology company. However, the extension has very limited user adoption with only 5 ratings and a 4.2-star rating, indicating minimal community validation. The lack of visible user count and recent update information raises additional concerns about maintenance and popularity.

Concerns:

The extension exhibits several alarming security characteristics that justify the critical risk rating. The combination of identity, tabs, and all_urls permissions creates an extremely powerful access profile that far exceeds what most legitimate extensions require. The ability to inject content scripts into every website visited, coupled with unsafe-eval in the CSP, creates significant attack vectors. The broad permissions allow the extension to access personal identity information, manipulate browser tabs, and interact with all websites without restriction. The use of the older Manifest V2 framework provides fewer security protections than modern alternatives.

Recommendations:

Given the critical risk level, avoid installing this extension unless absolutely necessary for work or educational purposes. If required, run it in a completely isolated Chrome profile with no access to personal accounts, banking sites, or sensitive information. Regularly audit what data the extension might be accessing and consider alternative solutions. Monitor for any suspicious browser behavior and remove immediately if concerns arise. Contact the developer to inquire about security practices and future Manifest V3 migration plans.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

High-Risk Permission: <all_urls>

This extension has the <all_urls> permission. Can access all websites and their content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: identity

This extension has the identity permission. Can access your identity information. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

Unsafe JavaScript Evaluation

This extension's Content Security Policy allows 'unsafe-eval', which permits dynamic JavaScript code execution using eval() and similar functions. This is a significant security risk as it could allow execution of malicious code.

MEDIUM

Older Manifest Version

This extension uses Manifest Version 2, which has fewer security restrictions than Manifest V3. Consider using extensions that have upgraded to V3.

Security Analysis Details

Required Permissions:

identity
tabs
<all_urls>

Content Security Policy:

script-src https://js.monitor.azure.com https://*.google.com https://*.gstatic.com https://ssl.google-analytics.com 'self' 'unsafe-eval' 'sha256-QgdblxjNFRYHNnQR+3dKzeSO5C8/NSgNC7ShNjbjvos=' 'sha256-0Qu/uZ0lxLtX/6ipc3REDULZOZGPbl4S9ZS3/Kq3kmQ=' 'sha256-nDL7kkG+omqENx1tftiec4SstEZV682vArOgSffGKng=' ; object-src 'self'

Embedded URLs (335 total):

http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd	http://www.w3.org/2000/svg
http://www.w3.org/1999/xhtml	http://www.w3.org/1999/xlink
http://www.w3.org/XML/1998/namespace	http://www.w3.org/2000/xmlns/
http://g.co/ng/security#xss	https://angular.io/docs/ts/latest/api/common/index/NgFor-directive.html#
https://ssi.myviewboard.com	https://myviewboard.com
https://favicon.myviewboard.com/api/grab/	https://dl.myviewboard.com/latest?
https://www.google.com/recaptcha/api.js?render=6Ld3ovMUAAAAAP5gJkmSiATpq6ACB6O44MFE1S_S	https://myviewboard.com/static/canvas/scratch.html
https://stage.myviewboard.com/static/canvas/scratch.html	https://rss.myviewboard.com/feed/fi_myviewboard
https://go.microsoft.com/fwlink/?linkid=2128109	https://js.monitor.azure.com/scripts/b/ai.2.min.js
http://opensource.org/licenses/MIT	https://openjsf.org/
http://underscorejs.org/	https://github.com/lodash/lodash
http://creativecommons.org/publicdomain/zero/1.0/	https://clients2.google.com/service/update2/crx
https://js.monitor.azure.com	https://ssl.google-analytics.com
https://www.googleapis.com/auth/drive	https://www.googleapis.com/auth/admin.directory.domain.readonly
http://fontawesome.io	http://fontawesome.io/license
https://getbootstrap.com	https://github.com/twbs/bootstrap/blob/master/LICENSE
https://compass-ssl.microsoft.com/assets/bc/84/bc84e95b-76b9-4b24-ad5f-9748a2d75b1b.svg?n=microsoft_account_logo_color.svg	https://developer.chrome.com/docs/extensions/mv2/content_scripts/
https://toneoz.com/	https://sdk.amazonaws.com/js/aws-sdk-2.3.7.min.js
http://ssi.myviewboard.com/api/account/active/?key=IobHJ6c8468Se1PjAxTSt2n4fUjxB0sDm2WKpHmZThHVs+WnHkG/&amp	https://www.google.com/url?hl=zh-TW&amp
http://ssi.myviewboard.com/api/account/active/?key%3DIobHJ6c8468Se1PjAxTSt2n4fUjxB0sDm2WKpHmZThHVs%2BWnHkG/%26value%3D9EW1LRbiUea8Undj6DPeyuJN3QhoLcL6KQ%3D%3D&amp	http://ssi.myviewboard.com/
http://jedwatson.github.io/classnames	https://github.com/cssinjs/jss
http://fb.me/prop-types-in-prod	https://www.w3.org/TR/WCAG20-TECHS/G17.html#G17-tests
https://github.com/facebook/react/issues/14099#issuecomment-440013892	https://material.google.com/motion/duration-easing.html#duration-easing-natural-easing-curves
https://material.io/guidelines/motion/duration-easing.html#duration-easing-common-durations	https://www.wolframalpha.com/input/?i=
https://github.com/WICG/focus-visible/blob/v4.1.5/src/focus-visible.js	https://github.com/bgrins/TinyColor
https://github.com/neilbartlett/color-temperature	https://www.w3.org/TR/css3-values/#integers
http://www.w3.org/TR/css3-values/#number-value	https://dev.to/maurobringolf/a-neat-trick-to-compute-modulo-of-negative-numbers-111e
https://stackoverflow.com/questions/19742805/angular-and-svg-filters/19753427#19753427	https://github.com/jaames/iro.js/issues/18
https://github.com/jaames/iro.js/issues/45	https://github.com/jaames/iro.js/pull/89
https://github.com/jaames/iro.js/issues/126	https://github.com/preactjs/preact/issues/2113#issuecomment-553408767
https://medium.com/@WebReflection/dom-handleevent-a-cross-platform-standard-since-year-2000-5bf17287fd38	https://gist.github.com/rogozhnikoff/a43cfed27c41e4e68cdc
https://fb.me/react-controlled-components	https://bugs.chromium.org/p/v8/issues/detail?id=4118
https://bugs.chromium.org/p/v8/issues/detail?id=3056	https://github.com/mzabriskie/react-draggable/pull/254
https://github.com/mzabriskie/react-draggable/issues/266	https://github.com/FezVrasta/popper.js/issues/373
https://github.com/FezVrasta/popper.js/pull/715	https://github.com/twbs/bootstrap/blob/1d6e3710dd447de1a200f29e8fa521f8a0908f70/scss/_functions.scss#L59
https://github.com/material-components/material-components-web/blob/ac46b8863c4dab9fc22c4c662dc6bd1b65dd652f/packages/mdc-theme/_functions.scss#L54	https://www.w3.org/TR/2008/REC-WCAG20-20081211/#visual-audio-contrast-contrast
https://material.io/design/typography/the-type-system.html	https://material.io/design/typography/understanding-typography.html
https://meyerweb.com/eric/thoughts/2006/02/08/unitless-line-heights/	https://github.com/material-components/material-components-web/blob/be8747f94574669cb5e7add1a7c54fa41a89cec7/packages/mdc-elevation/_variables.scss
https://material.io/design/layout/understanding-layout.html#usage	https://github.com/mui-org/material-ui/tree/master/packages/material-ui-codemod/README.md#theme-spacing-api
https://material-ui.com/r/pseudo-classes-guide	https://babeljs.io/docs/en/babel-plugin-transform-template-literals#loose

Page 1 of 5

Raw Manifest

{
  "name": "myViewBoard extension",
  "icons": {
    "16": "16x16.png",
    "48": "48x48.png",
    "96": "96x96.png"
  },
  "oauth2": {
    "scopes": [
      "openid",
      "email",
      "https://www.googleapis.com/auth/drive",
      "https://www.googleapis.com/auth/admin.directory.domain.readonly"
    ],
    "client_id": "11040883588-duufkdrc4d0i2d8rumkoi7ul8rm03k57.apps.googleusercontent.com"
  },
  "version": "2.27.2",
  "background": {
    "scripts": [
      "background-script.js"
    ],
    "persistent": true
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "myViewBoard.com in a Google Chrome extension",
  "permissions": [
    "identity",
    "tabs",
    "<all_urls>"
  ],
  "browser_action": {
    "default_icon": "icon.png",
    "default_popup": "popup.html"
  },
  "content_scripts": [
    {
      "js": [
        "content-script.js"
      ],
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "manifest_version": 2,
  "externally_connectable": {
    "matches": [
      "*://*.myviewboard.com/*",
      "*://myviewboard.com/*",
      "http://localhost:4200/*"
    ]
  },
  "content_security_policy": "script-src https://js.monitor.azure.com  https://*.google.com https://*.gstatic.com https://ssl.google-analytics.com 'self' 'unsafe-eval' 'sha256-QgdblxjNFRYHNnQR+3dKzeSO5C8/NSgNC7ShNjbjvos=' 'sha256-0Qu/uZ0lxLtX/6ipc3REDULZOZGPbl4S9ZS3/Kq3kmQ=' 'sha256-nDL7kkG+omqENx1tftiec4SstEZV682vArOgSffGKng=' ; object-src 'self'",
  "web_accessible_resources": [
    "icon.png",
    "favicon.ico",
    "assets/extension/react-web-marker/index.html"
  ]
}

by ✦ Astarte

myViewBoard extension

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (335 total):

Raw Manifest

Detections

Manifest Findings