[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Teamleader Integrations

Version 4.0.15 View in Chrome Web Store

Last scanned: about 14 hours ago

Extension Details

Rating: 3.4 ★ (34 ratings)

Users: 10,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a moderate user base of 10,000 users, which provides some validation through adoption. However, the relatively low rating of 3.4 out of 5 stars from 34 reviews suggests user dissatisfaction or potential issues. The lack of clear developer information raises transparency concerns, making it difficult to assess the company's reputation or accountability.

Concerns:

The extension requests highly sensitive permissions that seem excessive for a typical business integration tool. The management permission allows control over other extensions, which is rarely necessary for CRM integrations. The identity permission provides access to personal identity information, creating significant privacy risks. The broad host permissions, while targeting specific business platforms (LinkedIn, Gmail, Teamleader), still represent a wide attack surface. The combination of these powerful permissions creates potential for data harvesting, account compromise, or malicious extension management.

Recommendations:

Given the high-risk permission combination, consider running this extension in a separate Chrome profile dedicated to business activities only. Verify the extension's legitimacy through Teamleader's official website or support channels before installation. Regularly review the extension's activity and consider alternatives with more limited permissions. Monitor your accounts on the permitted domains for any unusual activity. If the extension's functionality doesn't clearly require all these permissions, consider uninstalling it until the developer provides better justification for the permission scope.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: identity

This extension has the identity permission. Can access your identity information. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: management

This extension has the management permission. Can manage other extensions. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://www.linkedin.com/*, https://mail.google.com/*. Ensure you trust this extension with access to these sites.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

scripting
management
identity
storage

Host Permissions:

https://www.linkedin.com/*
https://mail.google.com/*
https://focus.teamleader.eu/*
https://auth.focus.teamleader.eu/*

Embedded URLs (27 total):

http://jedwatson.github.io/classnames	https://static.focus.teamleader.eu/fonts/Inter.var.woff2
https://clients2.google.com/service/update2/crx	https://www.linkedin.com/
https://mail.google.com/	https://focus.teamleader.eu/
https://auth.focus.teamleader.eu/	http://www.w3.org/2000/svg
https://focus.teamleader.eu/oauth2/authorize?prompt=login&client_id=	https://focus.teamleader.eu/oauth2/access_token
https://api.teamleader.eu	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/1998/Math/MathML	http://www.w3.org/1999/xhtml
https://focus.teamleader.eu	https://api.focus.teamleader.eu
https://focus.teamleader.eu/task_detail.php?id=	https://focus.teamleader.eu/ticket_detail.php?id=
https://www.linkedin.com/voyager/api	https://www.linkedin.com/in/
https://focus.teamleader.eu/chrome-extension-api/linkedinInit.php	https://focus.teamleader.eu/contact_detail.php?id=
https://focus.teamleader.eu/company_detail.php?id=	https://mail.google.com
https://linkedin.com

Raw Manifest

{
  "name": "Teamleader Integrations",
  "icons": {
    "16": "static/icon16.png",
    "32": "static/icon32.png",
    "48": "static/icon48.png",
    "128": "static/icon128.png"
  },
  "action": {
    "default_icon": {
      "16": "static/icon16.png",
      "24": "static/icon24.png",
      "32": "static/icon32.png"
    }
  },
  "version": "4.0.15",
  "background": {
    "service_worker": "serviceWorker.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "This extension implements Teamleader functionality into other services such as Gmail and LinkedIn.",
  "permissions": [
    "scripting",
    "management",
    "identity",
    "storage"
  ],
  "options_page": "settings.html",
  "host_permissions": [
    "https://www.linkedin.com/*",
    "https://mail.google.com/*",
    "https://focus.teamleader.eu/*",
    "https://auth.focus.teamleader.eu/*"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "https://www.linkedin.com/*",
        "https://mail.google.com/*"
      ],
      "resources": [
        "static/*",
        "gmailGlobals.js"
      ]
    }
  ]
}

by ✦ Astarte

Teamleader Integrations

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (27 total):

Raw Manifest

Detections

Manifest Findings