[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

ViiTor Translate - AI Translation & Real-Time Bilingual Subtitles & Free

Version 1.35 View in Chrome Web Store

Last scanned: about 10 hours ago

Extension Details

Developer: https://www.viitor.info/

Rating: 4.0 ★ (262 ratings)

Users: 80,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension has a moderate user base of 80,000 users and a decent 4.0-star rating from 262 reviews, suggesting some level of user satisfaction. However, the developer website (viitor.info) provides limited transparency about the company behind the extension. The translation and subtitle functionality appears legitimate for the stated purpose.

Concerns:

The extension's permission set is extremely broad and concerning for a translation tool. The tabCapture permission allows recording of tab content, which combined with <all_urls> access creates significant privacy risks. The cookies permission enables access to authentication tokens and session data across all websites. The tabs permission allows monitoring and manipulation of all browser tabs. Most critically, the broad content script injection capability means this extension can execute code on every website you visit, potentially capturing passwords, personal information, or financial data. These permissions far exceed what's necessary for basic translation functionality.

Recommendations:

Given the critical risk level, avoid installing this extension on your primary browser profile. If you must use it, create a dedicated Chrome profile specifically for translation tasks and avoid accessing sensitive websites (banking, email, social media) while the extension is active. Consider alternative translation tools with more limited permissions, such as Google Translate's official extension or built-in browser translation features. Monitor your accounts for unusual activity if you've already used this extension.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

tabCapture
activeTab
scripting
storage
offscreen
tabs
background
cookies

Host Permissions:

<all_urls>

Embedded URLs (28 total):

http://www.codrops.com	https://www.opensource.org/licenses/mit-license.php
https://jqueryui.com	https://jqueryui.com/themeroller/?scope=&folderName=base&cornerRadiusShadow=8px&offsetLeftShadow=0px&offsetTopShadow=0px&thicknessShadow=5px&opacityShadow=30&bgImgOpacityShadow=0&bgTextureShadow=flat&bgColorShadow=666666&opacityOverlay=30&bgImgOpacityOverlay=0&bgTextureOverlay=flat&bgColorOverlay=aaaaaa&iconColorError=cc0000&fcError=5f3f3f&borderColorError=f1a899&bgTextureError=flat&bgColorError=fddfdf&iconColorHighlight=777620&fcHighlight=777620&borderColorHighlight=dad55e&bgTextureHighlight=flat&bgColorHighlight=fffa90&iconColorActive=ffffff&fcActive=ffffff&borderColorActive=003eff&bgTextureActive=flat&bgColorActive=007fff&iconColorHover=555555&fcHover=2b2b2b&borderColorHover=cccccc&bgTextureHover=flat&bgColorHover=ededed&iconColorDefault=777777&fcDefault=454545&borderColorDefault=c5c5c5&bgTextureDefault=flat&bgColorDefault=f6f6f6&iconColorContent=444444&fcContent=333333&borderColorContent=dddddd&bgTextureContent=flat&bgColorContent=ffffff&iconColorHeader=444444&fcHeader=333333&borderColorHeader=dddddd&bgTextureHeader=flat&bgColorHeader=e9e9e9&cornerRadius=3px&fwDefault=normal&fsDefault=1em&ffDefault=Arial%2CHelvetica%2Csans-serif
http://modernizr.com/download/#-cssanimations-csstransitions-touch-shiv-cssclasses-prefixed-teststyles-testprop-testallprops-prefixes-domprefixes-load	http://getbootstrap.com/css/#grid
http://www.w3.org/2000/svg	http://www.w3.org/1999/xlink
https://account-api.ilivedata.com/rtvtchrome/gettoken	https://rtvt-cn-app.ilivedata.com/service/account/get_user_info
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd	https://elevenlabs.io/app/dubbing
https://rtvt-cn-app.ilivedata.com/service/chrome/getrtvttoken	https://httpagent.viitor.info/log?pid=0&tag=viitor.client.log&timestamp=
https://rtvt-cn-app.ilivedata.com/feedback/function	https://www.ilivedata.com
https://clients2.google.com/service/update2/crx	http://127.0.0.1:
https://www.viitor.info/	https://viitor-rtvt-test.viitor.info/
https://www.apache.org/licenses/LICENSE-2.0	https://ilivedata.com
https://account-api.ilivedata.com/feedback/chrome_uninstall_en.html	https://account-api.ilivedata.com/feedback/chrome_uninstall_zh.html
https://account-api.ilivedata.com/feedback/user_feedback_zh.html	https://account-api.ilivedata.com/feedback/user_feedback_en.html
https://www.viitor.info/chrome/login?id=	https://www.viitor.info/chrome/member?u=

Raw Manifest

{
  "name": "__MSG_extension_name__",
  "icons": {
    "16": "images/icon16.png",
    "32": "images/icon32.png",
    "48": "images/icon48.png",
    "128": "images/icon128.png"
  },
  "action": {
    "default_icon": "images/logo.png",
    "default_popup": "popup.html"
  },
  "version": "1.35",
  "background": {
    "service_worker": "service-worker.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_extension_description__",
  "permissions": [
    "tabCapture",
    "activeTab",
    "scripting",
    "storage",
    "offscreen",
    "tabs",
    "background",
    "cookies"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "thirdParty/jquery-3.7.1.min.js",
        "thirdParty/jquery-ui.min.js",
        "thirdParty/crypto-js.min.js",
        "screen_delay.js"
      ],
      "css": [
        "thirdParty/jquery-ui.min.css",
        "thirdParty/switcher.css",
        "content.css"
      ],
      "run_at": "document_end",
      "matches": [
        "<all_urls>"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "externally_connectable": {
    "matches": [
      "http://localhost:*/*",
      "http://127.0.0.1:*/*",
      "file:///*",
      "https://www.viitor.info/*",
      "https://viitor-rtvt-test.viitor.info/*"
    ],
    "accepts_tls_channel_id": false
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "images/top-log.jpeg",
        "images/donate.png",
        "images/unpaid.png",
        "images/vip.png",
        "thirdParty/msgpack.min.js",
        "thirdParty/int64.min.js",
        "thirdParty/fpnn.min.js",
        "thirdParty/rtvt.sdk.js",
        "worker.js"
      ]
    }
  ]
}

by ✦ Astarte

ViiTor Translate - AI Translation & Real-Time Bilingual Subtitles & Free

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (28 total):

Raw Manifest

Detections

Manifest Findings