[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Flash Master

Version 2.0.0.2 View in Chrome Web Store

Last scanned: about 4 hours ago

Extension Details

Developer: http://monaflashmaster.blogspot.com/

Rating: 3.7 ★ (441 ratings)

Users: 20,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors: The extension has a moderate user base of 20,000 users and an average rating of 3.7 stars from 441 reviews, suggesting mixed user experiences. However, the developer information is limited to a Blogspot URL, which raises questions about the legitimacy and professionalism of the developer. The lack of a proper company website or verified developer identity is concerning.

Concerns: The extension requests broad permissions including "tabs" and access to all HTTP/HTTPS websites, which is excessive for most legitimate use cases. The tabs permission allows the extension to monitor and manipulate all browser tabs, potentially accessing sensitive information across all websites. The universal host permissions grant access to every website you visit, creating significant privacy and security risks. Additionally, the extension uses the older Manifest V2, which has weaker security protections compared to the current V3 standard.

Recommendations: Given the medium risk level and concerning permission scope, consider running this extension in a separate Chrome profile to isolate it from your main browsing activities. Before installation, carefully evaluate whether the extension's functionality truly requires such broad access to your browsing data. Look for alternative extensions with more limited permissions that can accomplish the same task. If you must use this extension, regularly review your installed extensions and remove it if you notice any suspicious behavior or if you no longer need its functionality.

Findings

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Older Manifest Version

This extension uses Manifest Version 2, which has fewer security restrictions than Manifest V3. Consider using extensions that have upgraded to V3.

Security Analysis Details

Required Permissions:

tabs
http://*/
https://*/

Embedded URLs (18 total):

http://www.texotela.co.uk	http://www.opensource.org/licenses/mit-license.php
http://www.opensource.org/licenses/gpl-license.php	http://www.texotela.co.uk/code/jquery/numeric/
http://javascript.nwbox.com/cursor_position/	http://jquery.com/
http://jquery.org/license	http://sizzlejs.com/
http://developers.facebook.com/docs/reference/plugins/like/	http://www.facebook.com/plugins/like.php?href=https%3A%2F%2Fchrome.google.com%2Fwebstore%2Fdetail%2Fcacfnookefkldifaigjdedpophfjkjeh&amp
http://www.w3.org/1999/xhtml	https://developers.google.com/analytics/devguides/collection/gajs/methods/gaJSApi_gaq
https://ssl.google-analytics.com/ga.js	http://monaFlashMaster.blogspot.com
https://chrome.google.com/webstore	http://getfirebug.com/logging
https://developers.google.com/analytics/devguides/collection/gajs/methods/gaJSApiEventTracking#_gat.GA_EventTracker_._trackEvent	https://clients2.google.com/service/update2/crx

Raw Manifest

{
  "name": "Flash Master",
  "icons": {
    "16": "FlashMaster/images/icon_16x16.png",
    "48": "FlashMaster/images/icon_48x48.png",
    "128": "FlashMaster/images/icon_128x128.png"
  },
  "version": "2.0.0.2",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Open flash file in full screen or download it for offline use",
  "permissions": [
    "tabs",
    "http://*/",
    "https://*/"
  ],
  "browser_action": {
    "default_icon": "FlashMaster/images/icon.png",
    "default_popup": "FlashMaster/main.html"
  },
  "offline_enabled": true,
  "manifest_version": 2
}

by ✦ Astarte