[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Passbolt - Open source password manager

Version 5.12.2 View in Chrome Web Store

Last scanned: about 18 hours ago

Extension Details

Rating: 4.1 ★ (98 ratings)

Users: 400,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors: Passbolt is a legitimate open-source password manager with 400,000 users and a 4.1-star rating. The open-source nature allows for code transparency and community scrutiny, which increases trustworthiness. The company has an established reputation in the password management space.

Concerns: While the extensive permissions are typical for password managers, they create significant attack surface. The broad host permissions (*://*/*) allow access to all websites, which is necessary for password autofill but creates privacy risks. The combination of tabs, cookies, downloads, and clipboard permissions could be exploited if the extension were compromised. The unlimited storage permission, while needed for password databases, could potentially be misused for data collection.

The critical risk rating appears inflated given the extension's legitimate purpose - most permissions are functionally necessary for a password manager to operate effectively. However, the broad scope of access does create genuine security considerations.

Recommendations: Consider running this extension in a dedicated Chrome profile for sensitive accounts. Regularly review which websites you've granted the extension access to. Monitor for unusual download activity or clipboard behavior. Keep the extension updated to ensure security patches are applied. Given Passbolt's open-source nature, you could review their code repository for additional confidence. The risk is manageable for users who need a password manager and understand the necessary trade-offs.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: clipboardWrite

This extension has the clipboardWrite permission. Can modify clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: downloads

This extension has the downloads permission. Can download files and access download history. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

activeTab
unlimitedStorage
storage
tabs
scripting
alarms
downloads
cookies
clipboardWrite
background
offscreen

Host Permissions:

*://*/*

Content Security Policy:

extension_pages: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: http: ; font-src 'self'; connect-src 'self' https: http: ; form-action 'self' https: ; frame-src 'self' ; frame-ancestors 'self' https: http: ; worker-src 'self' ; base-uri 'none' ;

Embedded URLs (124 total):

https://www.passbolt.com	https://opensource.org/licenses/AGPL-3.0
http://fb.me/use-check-prop-types	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/2000/svg	http://www.w3.org/1998/Math/MathML
http://www.w3.org/1999/xhtml	http://www.w3.org/2000/xmlns/
https://github.com/zloirock/core-js/blob/v3.38.1/LICENSE	https://github.com/zloirock/core-js
https://www.i18next.com/translation-function/formatting	https://openpgpjs.org
https://login.microsoftonline.com	https://login.microsoftonline.us
https://login.partner.microsoftonline.cn	https://accounts.google.com
https://auth.pingone.com	https://auth.pingone.eu
https://auth.pingone.ca	https://auth.pingone.asia
https://auth.pingone.com.au	https://auth.pingone.sg
https://www.passbolt.com/start	https://api.pwnedpasswords.com/range/
http://www.gnu.org/licenses/agpl-3.0.en.html	https://www.eff.org/dice.
https://www.eff.org	https://creativecommons.org/licenses/by/3.0/us/
https://generatepasswords.org/how-to-calculate-entropy/	https://github.com/mholt/PapaParse
https://feross.org	https://openpgpjs.org/
https://feross.org/opensource	https://github.com/passbolt/passbolt_styleguide
https://github.com/mebjas/html5-qrcode	https://scanapp.org
https://github.com/mebjas/html5-qrcode/issues	https://en.wikipedia.org/wiki/Phishing
https://www.passbolt.com/docs/user/settings/browser/security-token/	https://www.passbolt.com/docs/safari-onboarding
https://www.passbolt.com/credits	https://www.passbolt.com/docs/hosting/faq/why-I-see-unsafe-mode-banner/
https://startsource.org/licenses/AGPL-3.0	https://www.passbolt.com/docs/admin/authentication/account-recovery
https://www.passbolt.com/docs/	https://apps.apple.com/lv/app/passbolt-password-manager/id1569629432
https://play.google.com/store/apps/details?id=com.passbolt.mobile.android	https://passbolt.com/docs
https://www.passbolt.com/docs/user/settings/browser/account-recovery-setup/	https://apps.microsoft.com/detail/passbolt/9PFXS2WVKVPB
https://www.passbolt.com/docs/user/settings/browser/change-passphrase/	https://www.passbolt.com/docs/user/quickstart/browser/admin-assisted-recovery
https://www.passbolt.com/docs/user/quickstart/desktop/windows-app/	https://www.passbolt.com/docs/admin/authentication/mfa-policy
https://duo.com/product/multi-factor-authentication-mfa/authentication-methods	https://www.passbolt.com/docs/admin/authentication/mfa/duo
https://freeotp.github.io/	https://support.google.com/accounts/answ
https://www.passbolt.com/docs/admin/authentication/mfa/totp	https://passbolt.com/docs/admin/authentication/mfa/
https://www.passbolt.com/docs/admin/user-provisioning/users-directory/advanced-directory-options/	https://passbolt.com/docs/admin/user-provisioning/users-directory/
https://www.passbolt.com/ce-to-pro?utm_campaign=21060976-CE%20to%20Pro&utm_source=product	https://www.passbolt.com/docs/admin/user-provisioning/users-directory/
https://passbolt.com/docs/admin/emails/email-notifications/	https://www.passbolt.com/subscription/ee/update/qty?subscription_id=
https://www.passbolt.com/subscription/ee/update/renew?subscription_id=	https://www.passbolt.com/contact
https://www.passbolt.com/docs/contribute/translation/	https://www.passbolt.com/docs/admin/authentication/account-recovery/
https://www.passbolt.com/docs/admin/faq/generate-openpgp-key/	https://passbolt.com/docs/admin/authentication/account-recovery/
https://docs.aws.amazon.com/ses/latest/dg/send-email-smtp.html	https://help.elasticemail.com/en/articles/4803409-smtp-settings
https://support.google.com/a/answer/2956491	https://documentation.mailgun.com/en/latest/quickstart-sending.html
https://dev.mailjet.com/smtp-relay/configuration/	https://mailchimp.com/developer/transactional/docs/smtp-integration/

Page 1 of 2

Raw Manifest

{
  "name": "__MSG_appName__",
  "icons": {
    "16": "webAccessibleResources/img/icons/icon-16.png",
    "48": "webAccessibleResources/img/icons/icon-48.png",
    "128": "webAccessibleResources/img/icons/icon-128.png"
  },
  "action": {
    "theme_icons": [
      {
        "dark": "webAccessibleResources/img/icons/icon-32.png",
        "size": 32,
        "light": "webAccessibleResources/img/icons/icon-32.png"
      }
    ],
    "default_icon": "webAccessibleResources/img/icons/icon-32.png",
    "default_popup": "webAccessibleResources/quickaccess.html?passbolt=quickaccess",
    "default_title": "Passbolt Quickaccess"
  },
  "version": "5.12.2",
  "commands": {
    "passbolt-open": {
      "description": "Open passbolt in a new tab!",
      "suggested_key": {
        "mac": "Alt+Shift+P",
        "default": "Alt+Shift+P"
      }
    }
  },
  "background": {
    "service_worker": "serviceWorker/serviceWorker.js"
  },
  "short_name": "passbolt",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_appDescription__",
  "permissions": [
    "activeTab",
    "unlimitedStorage",
    "storage",
    "tabs",
    "scripting",
    "alarms",
    "downloads",
    "cookies",
    "clipboardWrite",
    "background",
    "offscreen"
  ],
  "default_locale": "en",
  "host_permissions": [
    "*://*/*"
  ],
  "manifest_version": 3,
  "externally_connectable": {
    "ids": []
  },
  "minimum_chrome_version": "116",
  "content_security_policy": {
    "extension_pages": "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: http: ; font-src 'self'; connect-src 'self' https: http: ; form-action 'self' https: ; frame-src 'self' ; frame-ancestors 'self' https: http: ; worker-src 'self' ; base-uri 'none' ;"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "*://*/*"
      ],
      "resources": [
        "webAccessibleResources/*"
      ]
    }
  ]
}

by ✦ Astarte

Passbolt - Open source password manager

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (124 total):

Raw Manifest

Detections

Manifest Findings