[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

WAPI FREE - Jaguar

Version 3.2.307 View in Chrome Web Store

Last scanned: about 6 hours ago

Extension Details

Developer: wapi7.com

Rating: 3.2 ★ (752 ratings)

Users: 100,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a substantial user base of 100,000 users, which indicates some level of adoption. However, the relatively low rating of 3.2 out of 5 stars from 752 reviews suggests user dissatisfaction or potential issues. The developer appears to be associated with wapi7.com, but without additional verification of the company's reputation, this provides limited assurance.

Concerns:

The extension exhibits several concerning characteristics that elevate its risk profile. The broad host permissions are particularly problematic, as they allow access to multiple domains beyond what appears necessary for WhatsApp functionality. The combination of scripting permissions with access to Google Scripts domains creates potential for data exfiltration or malicious code execution. The browsingData permission is especially concerning as it can access sensitive browsing information. The declarativeNetRequest permission could be used to modify or intercept network requests, potentially compromising user privacy or security.

Recommendations:

Given the high-risk nature of this extension, consider running it in a separate Chrome profile to isolate potential security risks from your main browsing environment. Before installation, carefully evaluate whether the extension's functionality justifies the extensive permissions it requests. Monitor the extension's behavior closely and consider alternatives with more limited permission sets. If you must use this extension, avoid accessing sensitive websites or entering confidential information while it's active.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://script.google.com/*, https://script.googleusercontent.com/*. Ensure you trust this extension with access to these sites.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

Security Analysis Details

Required Permissions:

scripting
declarativeNetRequest
browsingData
background
activeTab

Host Permissions:

http://web.whatsapp.com/*
https://web.whatsapp.com/*
https://script.google.com/*
https://script.googleusercontent.com/*
https://i.imgur.com/*
https://imgur.com/*
https://*.imgur.com/*
https://wapi7.com/*
https://www.wapi7.com/*

Embedded URLs (44 total):

https://web.whatsapp.com	https://script.google.com/macros/s/AKfycbw1hrX9z350gWezf1aYmDpZvz5VscT3u7Hj2cdXnGbYF3r3utbCRGRiDXsy2r5iF2Cr/exec
https://raw.githubusercontent.com/Iquaridys/hextension/master/123.json	http://www.w3.org/2000/svg
http://www.w3.org/1999/xlink	https://www.whatsapp.com/otp/code/?otp_type=COPY_CODE&code=otp
https://wa.me/c/	https://chat.whatsapp.com/
https://analytics.google.com/g/collect	https://whatsapp.com/channel/
https://cobrancas.uppermesh.com.br:8000	https://wajsapi.titanchat.com.br
https://wppc-linkpreview.cloudtrix.com.br	https://web.whatsapp.com/
http://web.whatsapp.com/	https://script.google.com/
https://script.googleusercontent.com/	https://i.imgur.com/
https://imgur.com/	https://wapi7.com/
https://www.wapi7.com/	https://clients2.google.com/service/update2/crx
https://www.googleapis.com/auth/userinfo.email	https://whatsapp.com/channel/0029VaBaVr6IiRox2zNvTZ0l
https://connect.facebook.net/en_US/fbevents.js	https://www.facebook.com/tr?id=25868147869483018&ev=PageView&noscript=1
http://wa.me/	https://fonts.googleapis.com/css2?family=Open+Sans:wght@600
https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UNirkOX-hpKKSTj5PW.woff2	https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UNirkOVuhpKKSTj5PW.woff2
https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UNirkOXuhpKKSTj5PW.woff2	https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UNirkOUehpKKSTj5PW.woff2
https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UNirkOXehpKKSTj5PW.woff2	https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UNirkOXOhpKKSTj5PW.woff2
https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UNirkOUuhpKKSTjw.woff2	https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN7rgOX-hpKKSTj5PW.woff2
https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN7rgOVuhpKKSTj5PW.woff2	https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN7rgOXuhpKKSTj5PW.woff2
https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN7rgOUehpKKSTj5PW.woff2	https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN7rgOXehpKKSTj5PW.woff2
https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN7rgOXOhpKKSTj5PW.woff2	https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN7rgOUuhpKKSTjw.woff2
https://fontawesome.com	https://fontawesome.com/license/free

Raw Manifest

{
  "name": "WAPI FREE - Jaguar",
  "icons": {
    "16": "imgs/16.png",
    "32": "imgs/32.png",
    "48": "imgs/48.png",
    "128": "imgs/128.png"
  },
  "action": {
    "default_icon": {
      "16": "imgs/16.png",
      "48": "imgs/48.png"
    },
    "default_title": "WAPI FREE - Send personalized messages"
  },
  "author": "creativeOs",
  "oauth2": {
    "scopes": [
      "https://www.googleapis.com/auth/userinfo.email"
    ],
    "client_id": "xxxxxxx"
  },
  "version": "3.2.307",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Send personalized messages to your clients with our extension .",
  "permissions": [
    "scripting",
    "declarativeNetRequest",
    "browsingData",
    "background",
    "activeTab"
  ],
  "content_scripts": [
    {
      "js": [
        "/js/fgEmojiPicker.js",
        "/js/jquery.js",
        "/smph/app736e75726620636f7270.js",
        "/js/siema.min.js"
      ],
      "css": [
        "/style/mystyle.css",
        "style/0d8fd505a99478275324ed48ae42bfea.css"
      ],
      "matches": [
        "https://web.whatsapp.com/*"
      ]
    }
  ],
  "host_permissions": [
    "http://web.whatsapp.com/*",
    "https://web.whatsapp.com/*",
    "https://script.google.com/*",
    "https://script.googleusercontent.com/*",
    "https://i.imgur.com/*",
    "https://imgur.com/*",
    "https://*.imgur.com/*",
    "https://wapi7.com/*",
    "https://www.wapi7.com/*"
  ],
  "manifest_version": 3,
  "minimum_chrome_version": "88",
  "web_accessible_resources": [
    {
      "matches": [
        "https://web.whatsapp.com/*"
      ],
      "resources": [
        "js/*",
        "imgs/*",
        "smph/*",
        "/image/gear-icon-min.png",
        "/image/*",
        "/style/*",
        "style/fontawesome-5-15-3/css/*",
        "style/fontawesome-5-15-3/js/*",
        "style/fontawesome-5-15-3/webfonts/*"
      ]
    }
  ]
}

by ✦ Astarte