Extension Details
Context-Aware Verdict
The extension has a modest user base of 3,000 downloads with a below-average rating of 3.6 stars from 114 reviews, suggesting mixed user satisfaction. The lack of developer information and company details raises transparency concerns. The extension's purpose as a volume controller appears legitimate, but the implementation raises security questions.
The extension requests excessive permissions for its stated purpose. While volume control might justify some tab access, the tabs permission allows full browser tab manipulation beyond what's necessary. The broad content script injection across all websites (http, https, and local files) creates significant attack surface - a volume controller shouldn't need to inject scripts into every website you visit. The combination of tabs permission with universal content script access creates potential for data harvesting, credential theft, or malicious website modification. Using the older Manifest V2 provides fewer security safeguards compared to modern extensions.
Consider running this extension in a separate Chrome profile to isolate potential risks from your main browsing activity. Look for alternative volume control extensions with more restrictive permissions and better ratings. If you must use this extension, regularly monitor your browser behavior for unexpected changes and avoid using it while accessing sensitive websites like banking or email services.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- storage
- tabs
Embedded URLs (17 total):
| http://www.w3.org/2000/svg | http://www.w3.org/1999/xlink | |
| http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd | https://clients2.google.com/service/update2/crx | |
| http://www.voot.com/ | https://en.wikipedia.org/wiki/Same-origin_policy | |
| http://rajugt.github.io/ | http://www.freepik.com | |
| http://www.flaticon.com | http://creativecommons.org/licenses/by/3.0/ | |
| http://polymer.github.io/LICENSE.txt | http://polymer.github.io/AUTHORS.txt | |
| http://polymer.github.io/CONTRIBUTORS.txt | http://polymer.github.io/PATENTS.txt | |
| http://jsbin.com/temexa/4 | https://fonts.googleapis.com/css?family=Roboto:400 | |
| https://fonts.googleapis.com/css?family=Roboto+Mono:400 |
Raw Manifest
{ "name": "Volume Controller", "icons": { "16": "icons/icon16.png", "48": "icons/icon48.png", "128": "icons/icon128.png" }, "version": "0.4.1", "background": { "scripts": [ "eventPage.js" ], "persistent": false }, "short_name": "volumeController", "update_url": "https://clients2.google.com/service/update2/crx", "description": "HTML5 video and audio volume controller", "permissions": [ "activeTab", "storage", "tabs" ], "options_page": "options.html", "browser_action": { "default_icon": "icons/icon48.png", "default_popup": "popup.html", "default_title": "" }, "content_scripts": [ { "js": [ "inject.js" ], "matches": [ "http://*/*", "https://*/*", "file:///*" ], "all_frames": true } ], "manifest_version": 2 }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.