Extension Details
Context-Aware Verdict
The extension has a solid user base of 400,000 users and maintains a good rating of 4.4 stars from 789 reviews, indicating general user satisfaction. The developer operates under a dedicated domain (fakefiller.com) which suggests some level of commitment to the product. The extension's purpose - filling forms with fake data for testing - is legitimate and commonly needed by developers and testers.
The primary concern is the broad content script injection capability across all URLs, which grants extensive access to read and modify any website content. While the contextMenus, activeTab, and storage permissions are reasonable for a form-filling tool, the combination with universal script injection creates potential for data harvesting or credential theft. The extension could theoretically capture sensitive information from banking sites, email platforms, or other confidential web applications, even though this may not be its intended purpose.
Consider running this extension in a separate Chrome profile dedicated to development and testing activities, keeping it isolated from your primary browsing profile where you access sensitive accounts. Only enable the extension when actively needed for form testing. Regularly review what data the extension might be storing locally. If you frequently work with sensitive or production websites, consider using alternative form-filling methods that don't require such broad permissions, or temporarily disable the extension when not actively testing forms.
Findings
Security Analysis Details
Required Permissions:
- contextMenus
- activeTab
- storage
- scripting
Embedded URLs (45 total):
| https://github.com/FakeFiller/fake-filler-extension/wiki/Keyboard-Shortcuts | http://momentjs.com/docs/#/displaying/format/ | |
| http://fent.github.io/randexp.js/ | http://www.w3.org/2000/svg | |
| https://mths.be/cssesc | http://momentjs.com/guides/#/warnings/define-locale/ | |
| http://momentjs.com/guides/#/warnings/js-date/ | http://momentjs.com/guides/#/warnings/min-max/ | |
| http://momentjs.com/guides/#/warnings/add-inverted-param/ | http://momentjs.com/guides/#/warnings/zone/ | |
| http://momentjs.com/guides/#/warnings/dst-shifted/ | https://github.com/uuidjs/uuid#getrandomvalues-not-supported | |
| http://www.apache.org/licenses/LICENSE-2.0 | https://securetoken.google.com/ | |
| https://reactjs.org/docs/error-decoder.html?invariant= | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xhtml | https://bit.ly/3cXEKWf | |
| http://fb.me/use-check-prop-types | https://github.com/FakeFiller/fake-filler-extension/pull/131 | |
| https://fakefiller.com | https://github.com/FakeFiller/fake-filler-extension/pull/113 | |
| https://github.com/FakeFiller/fake-filler-extension/pull/102 | https://github.com/FakeFiller/fake-filler-extension/pull/71 | |
| https://github.com/FakeFiller/fake-filler-extension/pull/66 | https://github.com/FakeFiller/fake-filler-extension/pull/54 | |
| https://github.com/rowthan | https://github.com/FakeFiller/fake-filler-extension/pull/33 | |
| https://github.com/FakeFiller/fake-filler-extension/pull/25 | https://github.com/FakeFiller/fake-filler-extension/pull/11 | |
| https://github.com/FakeFiller/fake-filler-extension/pull/18 | https://github.com/FakeFiller/fake-filler-extension/pull/20 | |
| https://github.com/FakeFiller/fake-filler-extension/pull/10 | https://github.com/FakeFiller/fake-filler-extension/pull/5 | |
| https://github.com/focus-trap/tabbable/blob/master/LICENSE | https://fakefiller.com/#pricing | |
| https://github.com/FakeFiller/fake-filler-extension/wiki/Customization-using-Custom-Fields-and-Profiles | https://fakefiller.com/privacy | |
| http://fakefiller.com/account/ | https://github.com/FakeFiller/fake-filler-extension/wiki | |
| https://github.com/FakeFiller/fake-filler-extension/issues | https://redux.js.org/Errors?code= | |
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "Fake Filler", "icons": { "16": "images/icon-16.png", "32": "images/icon-32.png", "48": "images/icon-48.png", "64": "images/icon-64.png", "96": "images/icon-96.png", "128": "images/icon-128.png" }, "action": { "default_icon": { "16": "images/icon-16.png", "32": "images/icon-32.png", "48": "images/icon-48.png", "64": "images/icon-64.png", "96": "images/icon-96.png", "128": "images/icon-128.png" }, "default_title": "Fill All Inputs with Dummy Data" }, "version": "4.1.0", "commands": { "fill_this_form": { "description": "Fill this form" }, "fill_all_inputs": { "description": "Fill all inputs" }, "fill_this_input": { "description": "Fill this input" } }, "background": { "type": "module", "service_worker": "src/service-worker.js" }, "options_ui": { "page": "index.html", "open_in_tab": true }, "short_name": "Fake Filler", "update_url": "https://clients2.google.com/service/update2/crx", "description": "A form filler that fills all inputs on a page with fake/dummy data.", "permissions": [ "contextMenus", "activeTab", "storage", "scripting" ], "default_locale": "en", "content_scripts": [ { "js": [ "src/content-script.js" ], "matches": [ "<all_urls>" ], "all_frames": true } ], "manifest_version": 3 }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.