[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Qualified Meeting Booker

Version 0.3.0 View in Chrome Web Store

Last scanned: about 6 hours ago

Extension Details

Developer: Qualified.com, Inc.

Rating: 5.0 ★ (4 ratings)

Users: 435

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension is developed by Qualified.com, Inc., a legitimate company in the business software space, which adds some credibility. However, the extremely low user base of only 435 users and just 4 reviews raises concerns about the extension's maturity and widespread adoption. The perfect 5.0 rating from such a small sample size is not statistically meaningful for assessing reliability.

Concerns:

The extension requests unnecessarily broad permissions for what appears to be a meeting booking tool. The cookies permission combined with access to Gmail and Google Calendar creates significant privacy risks, as it can read and modify authentication cookies and access sensitive email and calendar data. The broad host permissions flag indicates the extension may have wider access than necessary. Access to mail.google.com is particularly concerning as this could allow reading of private emails, which seems excessive for a meeting booking function.

Recommendations:

Given the high risk level, consider running this extension in a separate Chrome profile to isolate potential security impacts. Before installation, verify that Qualified.com actually developed this extension by checking their official website. Consider whether the meeting booking functionality justifies the extensive access to your Google services. Monitor the extension's behavior closely and revoke permissions if any suspicious activity occurs. Alternative meeting booking solutions with more limited permissions may be safer options.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: *://mail.google.com/*, *://calendar.google.com/*. Ensure you trust this extension with access to these sites.

Security Analysis Details

Required Permissions:

scripting
cookies

Host Permissions:

*://mail.google.com/*
*://calendar.google.com/*
*://*.qualified.com/*

Embedded URLs (72 total):

http://www.example.com	https://docs.sentry.io/platforms/javascript/best-practices/browser-extensions/
https://app.qualified.com	https://2b0718eb2a53f233f9fae529f3c864af@o209747.ingest.us.sentry.io/4508933414780929
https://reactjs.org/docs/error-decoder.html?invariant=	https://fb.me/react-polyfills
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/1999/xhtml	http://www.w3.org/2000/svg
http://www.w3.org/1998/Math/MathML	https://clients2.google.com/service/update2/crx
https://www.inboxsdk.com/	https://www.inboxsdk.com/terms
https://stackoverflow.com/a/46700791	https://mail.google.com/sync
https://bugs.webkit.org/show_bug.cgi?id=16735	https://code.google.com/p/chromium/issues/detail?id=327853
https://mail.google.com	https://mail.google.com/mail/u/0/
https://mail.google.com/mail	https://github.com/MikeMcl/bignumber.js
https://github.com/kefirjs/kefir	https://github.com/kefirjs/kefir/issues/35
https://github.com/kefirjs/kefir/issues/98	https://github.com/kefirjs/kefir/issues/145
https://github.com/kefirjs/kefir/issues/149	https://github.com/kefirjs/kefir/issues/150
http://ecma-international.org/ecma-262/7.0/#sec-samevaluezero	http://ecma-international.org/ecma-262/7.0/#sec-patterns
https://bugs.webkit.org/show_bug.cgi?id=156034	https://github.com/jashkenas/underscore/pull/1247
https://bugs.chromium.org/p/v8/issues/detail?id=90	http://www.ecma-international.org/ecma-262/7.0/#sec-regexp.prototype.tostring
http://ecma-international.org/ecma-262/7.0/#sec-object.prototype.tostring	http://ecma-international.org/ecma-262/7.0/#sec-object.keys
https://mdn.io/Structured_clone_algorithm	https://mths.be/he
https://mathiasbynens.be/notes/ambiguous-ampersands	http://wonko.com/post/html-escaping
http://ecma-international.org/ecma-262/7.0/#sec-tolength	http://www.ecma-international.org/ecma-262/7.0/#sec-ecmascript-language-types
http://ecma-international.org/ecma-262/7.0/#sec-properties-of-the-map-prototype-object	http://www.ecma-international.org/ecma-262/7.0/#sec-tointeger
https://github.com/joyent/node/issues/1707	https://github.com/w3c/webextensions/issues/8
https://groups.google.com/forum/#	https://ssl.gstatic.com/ui/v1/icons/common/x_8px.png
https://api.inboxsdk.com/api/v2/errors	https://api.inboxsdk.com/api/v2/events/oauth
https://pubsub.googleapis.com/v1/projects/mailfoogae/topics/events:publish?key=	https://myaccount.google.
https://github.com/InboxSDK/InboxSDK/issues/1062#issuecomment-1821327292	https://www.inboxsdk.com/register
https://www.gstatic.com/images/icons/material/system_gm/2x/more_vert_black_20dp.png	https://www.inboxsdk.com/docs/#Router
https://people-pa.clients6.google.com/	https://www.inboxsdk.com/docs/#RequiredSetup
https://www.gstatic.com/images/icons/material/system/1x/close_black_24dp.png	https://www.gstatic.com/images/icons/material/system/2x/close_black_24dp.png
https://ssl.gstatic.com/mail/sprites/smartmail-561acb673be75c1d374881a95997fce4.png	https://feross.org
http://jedwatson.github.io/classnames	https://feross.org/opensource
http://fb.me/use-check-prop-types	https://reactjs.org/link/react-polyfills
http://www.apache.org/licenses/LICENSE-2.0	https://github.com/date-fns/date-fns/blob/master/docs/upgradeGuide.md#string-arguments
https://github.com/date-fns/date-fns/blob/master/docs/unicodeTokens.md	https://github.com/styled-components/polished/blob/main/src/internalHelpers/errors.md#
http://dev.apollodata.com/core/fragments.html#unique-names	https://qualified.com

Raw Manifest

{
  "name": "Qualified Meeting Booker",
  "icons": {
    "16": "icon-16.png",
    "32": "icon-32.png",
    "48": "icon-48.png",
    "128": "icon-128.png"
  },
  "version": "0.3.0",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Frictionless scheduling, from meeting offered to meeting booked.",
  "permissions": [
    "scripting",
    "cookies"
  ],
  "content_scripts": [
    {
      "js": [
        "calendar-content.js"
      ],
      "matches": [
        "*://calendar.google.com/*"
      ]
    },
    {
      "js": [
        "content-scripts/content.js"
      ],
      "css": [
        "content-scripts/content.css"
      ],
      "matches": [
        "*://mail.google.com/*"
      ]
    }
  ],
  "host_permissions": [
    "*://mail.google.com/*",
    "*://calendar.google.com/*",
    "*://*.qualified.com/*"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "*://mail.google.com/*",
        "*://calendar.google.com/*"
      ],
      "resources": [
        "qualified.svg",
        "pageWorld.js",
        "assets/*"
      ]
    }
  ]
}

by ✦ Astarte

Qualified Meeting Booker

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (72 total):

Raw Manifest

Detections

Manifest Findings