Extension Details
Developer:
https://capitalone.com/
Rating:
4.6 ★
(6.7K ratings)
Users:
600,000
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
MEDIUM
Overall Risk
Trust Factors:
This extension is developed by Capital One, a major financial institution with a strong reputation. With 600,000 users and a 4.6-star rating from 6,700 reviews, it demonstrates significant user adoption and satisfaction. The extension appears to be Eno, Capital One's virtual assistant for managing finances and credit cards, which explains the need for certain permissions.
Concerns:
The broad host permissions allowing access to all websites (https://*/*, http://*/*) are concerning as they enable the extension to potentially monitor all browsing activity. The tabs permission allows manipulation of browser tabs, and the cookies permission provides access to sensitive authentication data across all sites. While these permissions may be necessary for Eno's functionality (such as detecting shopping opportunities or managing financial transactions), they create significant potential for data collection beyond what users might expect.
The extension's access is appropriately limited to Capital One domains for most functionality, but the universal content script injection raises privacy questions about what data is being collected from non-financial websites.
Recommendations:
Given Capital One's reputation, this extension is likely safe for existing Capital One customers who want to use Eno's features. However, users concerned about privacy should consider running it in a separate Chrome profile to isolate its broad permissions. Review Capital One's privacy policy to understand what browsing data may be collected. Non-Capital One customers should avoid installing this extension as the benefits wouldn't justify the extensive permissions.
Findings
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
HIGH
High-Risk Permission: cookies
This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.
HIGH
High-Risk Permission: tabs
This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.
MEDIUM
Access to Sensitive Domains
This extension requests access to sensitive domains: https://*.capitalone.com/*, http://*.capitalone.com/*, https://.capitalone.com/, http://.capitalone.com/, https://*.capitalone.com/, http://*.capitalone.com/. Ensure you trust this extension with access to these sites.
MEDIUM
Medium-Risk Permission: activeTab
This extension has the activeTab permission. Can access the active tab when clicking the extension icon.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
Security Analysis Details
Required Permissions:
- activeTab
- alarms
- tabs
- storage
- cookies
Host Permissions:
- https://*.capitalone.com/*
- http://*.capitalone.com/*
- https://.capitalone.com/
- http://.capitalone.com/
- https://*.capitalone.com/
- http://*.capitalone.com/
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'self'
Embedded URLs (88 total):
| https://angular.dev/license | http://yuilibrary.com/license/ | |
| http://www.apache.org/licenses/ | http://www.apache.org/licenses/LICENSE-2.0 | |
| http://mozilla.org/MPL/2.0/. | https://angular.io/license | |
| http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd | http://www.w3.org/1999/xhtml | |
| http://www.w3.org/2000/svg | https://jquery.com/ | |
| https://sizzlejs.com/ | https://jquery.org/license | |
| https://js.foundation/ | http://jqueryui.com | |
| http://jquery.org/license | http://api.jqueryui.com/position/ | |
| https://www.capitalone.com/digital/eno/virtual-card-numbers | https://www.amazon.com/cpe/yourpayments/wallet | |
| https://www.bestbuy.com/profile/c/billinginfo/cc | https://www.grubhub.com/account/payment | |
| https://www.united.com/en/us/account/payments | https://www.macys.com/account/wallet | |
| https://www.aa.com/loyalty/profile/preferences | https://www.seamless.com | |
| https://www.seamless.com/account/payment | https://www.chewy.com/app/account/wallet | |
| https://www.zappos.com/payments/new | https://www.lowes.com/mylowes/profile/wallet/creditcards/create | |
| https://secure.wayfair.com/account/manage-payment-options | https://www.groupon.com/mybillingrecords | |
| https://www.airbnb.com/account-settings/payments/payment-methods | https://www.target.com/account/payments/new | |
| https://mzl.la/3adhTHt | http://www.w3.org/1999/xlink | |
| http://www.bohemiancoding.com/sketch | https://g.co/ng/security#xss | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/2000/xmlns/ | |
| http://www.w3.org/1998/Math/MathML | https://verified.capitalone.com/signinhelp.html#/sign-in-help | |
| https://wib.capitalone.com/wib-edge-server/wib | https://wib.capitalone.com/wib-edge-server/token | |
| https://links.capitalone.com | https://ecm.capitalone.com/CardArt/assets/videos/ | |
| https://verified.capitalone.com/sse/mav/ | https://verified.capitalone.com/auth/signin?Product=ENTERPRISE&goto_url=https:%2F%2Fmyaccounts.capitalone.com%2FVirtualCards#/VirtualCards | |
| https://chromewebstore.google.com/detail/eno%C2%AE-from-capital-one%C2%AE/clmkdohmabikagpnhjmgacbclihgmdje/reviews | https://addons.mozilla.org/en-US/firefox/addon/capital-one-eno/ | |
| https://apps.apple.com/us/app/eno-from-capital-one/id1590422864 | https://microsoftedge.microsoft.com/addons/detail/eno%C2%AE-from-capital-one%C2%AE/jkgeppojddflfhbfhjgapbcdnabegmdg?source=sfw | |
| https://myaccounts.capitalone.com/Card/ | https://support.google.com/chrome/answer/95617 | |
| https://chrome.google.com/webstore/detail/eno%C2%AE-from-capital-one%C2%AE/clmkdohmabikagpnhjmgacbclihgmdje/reviews?hl=en | https://verified.capitalone.com/auth/signin?Product=ENTERPRISE&goto_url=https:%2F%2Fmyaccounts.capitalone.com%2FdigitalWalletManager%2Fgpaypush%3FanalyticsTag%3DfromExtension | |
| https://verified.capitalone.com/auth/signin?Product=ENTERPRISE&goto_url=https:%2F%2Fmyaccounts.capitalone.com%2FVirtualCards%3FanalyticsTag%3Dextension_deeplink#/VirtualCards?analyticsTag=extension_deeplink | https://www.ticketmaster.com/member/payment_options | |
| https://www.bestbuy.com/profile/c/billinginfo/cc/add | https://www.spotify.com/us/account/subscription/update | |
| https://clients2.google.com/service/update2/crx | https://.capitalone.com/ | |
| http://.capitalone.com/ | https://wib.capitalone.com/SemanticEngineRules/currentSiteRules | |
| https://wib.capitalone.com/SemanticEngineRules/featureToggles | https://wib.capitalone.com/SemanticEngineRules/ml-model/page/model.json | |
| https://wib.capitalone.com/SemanticEngineRules/ml-model/field/model.json | https://wib.capitalone.com/SemanticEngineRules/ml-model/page/page-tfidf.json | |
| https://wib.capitalone.com/SemanticEngineRules/ml-model/field/fields-tfidf.json | https://verified.capitalone.com/sic-ui/#/signin | |
| https://login1.capitalone.com/loginweb/forgotidm/forgotuser.do | https://login1.capitalone.com/loginweb/forgotidm/forgotpass.do | |
| https://wib.capitalone.com/wib-edge-server | https://wib.capitalone.com/assets/enterprise/js/cp_eno.js | |
| https://ecm.capitalone.com/CardArt/assets/images/ | https://wib.capitalone.com/app-init/sitestatus | |
| https://api.capitalone.com/oauth2/authorize?client_id=22a835dd1466b71dab66c9e5ee3cbcf1&response_type=code&scope=openid&redirect_uri=https://verified.capitalone.com/sign-in/pathfinder | https://verified.capitalone.com | |
| http://developer.yahoo.com/yui/license.html | https://kjur.github.io/jsrsasign/license/ | |
| http://www-cs-students.stanford.edu/~tjw/jsbn/ | https://github.com/bitcoinjs/bitcoinjs-lib |
Page 1 of 2
Raw Manifest
{ "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu028cNZuSZ52TZSkt+YkwcL+iHbz+Lzf2i7/jGTzaT1BPYM8R4poBMhRK219PbZA0oJmPGJrdcbbRONmIHSwPNUb+YE+nI3RRjFEEo9aoJg8Q3YRiS2ANFaWF7SeCxXtg+z09Qp+gIHalFlnx6H+txmGYt9ZHSKKSTaG6C5yTccsmdjBVw3k+FEc8QsAv3wfPQ/6T2oePEZvP+VvjudYylanVZ3IpF0kW7t9uRP9ge9E2cD2x+AmSiSYsPjL1ybBEzwCaVC9sDHPzt/SIMjhNz5upovDIoXpp8op4JobPUXB7JtshlLEzJuD96N4tmHfjUIch8Q+YlX0LD7k/GLTeQIDAQAB", "name": "Eno® from Capital One®", "icons": { "16": "assets/images/app-icon.png", "48": "assets/images/app-icon48.png", "128": "assets/images/app-icon128.png" }, "action": { "default_icon": "assets/images/app-icon.png" }, "version": "5.5.0", "commands": { "_execute_action": { "suggested_key": { "mac": "Command+Shift+E", "linux": "Ctrl+Shift+E", "windows": "Ctrl+Shift+E", "chromeos": "Ctrl+Shift+E" } } }, "background": { "type": "module", "service_worker": "service-worker.min.js" }, "short_name": "Eno® from Capital One®", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Shop more securely through your desktop browser with Eno®, your Capital One® assistant.", "permissions": [ "activeTab", "alarms", "tabs", "storage", "cookies" ], "content_scripts": [ { "css": [ "assets/css/dnd_card.css" ], "matches": [ "https://*/*", "http://*/*" ], "all_frames": true }, { "js": [ "content-scripts.min.js", "cs.min.js", "content-script.js" ], "matches": [ "https://*/*", "http://*/*" ], "all_frames": true }, { "js": [ "sic.js" ], "matches": [ "https://*.capitalone.com/*", "http://*.capitalone.com/*" ], "all_frames": true } ], "host_permissions": [ "https://*.capitalone.com/*", "http://*.capitalone.com/*", "https://.capitalone.com/", "http://.capitalone.com/", "https://*.capitalone.com/", "http://*.capitalone.com/" ], "manifest_version": 3, "externally_connectable": { "matches": [ "*://*.capitalone.com/*" ] }, "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'" }, "web_accessible_resources": [ { "matches": [ "https://*/*", "http://*/*" ], "resources": [ "assets/*", "index.html", "ccswap.html", "ccswap*.js", "automaton.min.js" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
Loading Secure Annex data...
Unable to load Secure Annex data.
This extension may not yet be analyzed by Secure Annex.
Detections
0Critical
0
High
0
Medium
0
Low
0
Has Verdicts
Yes
Manifest Findings
0Critical
0
High
0
Medium
0
Low
0
Secure Annex analyzed version: -