[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

UiPath Web Automation

Version 9.0.6827 View in Chrome Web Store

Last scanned: about 4 hours ago

Extension Details

Rating: 2.5 ★ (48 ratings)

Users: 200,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

UiPath is a legitimate and well-known robotic process automation (RPA) company with enterprise-grade software solutions. The extension has 200,000 users, indicating widespread adoption in business environments. However, the low rating of 2.5 stars from 48 reviews suggests user dissatisfaction or functionality issues, which is concerning for a product from an established company.

Concerns:

The extension requests extremely broad permissions that are appropriate for automation software but create significant security exposure. The management permission allows control over other extensions, while <all_urls> grants access to all websites including sensitive financial and personal sites. The combination of tabs and webNavigation permissions enables comprehensive browsing activity monitoring. The use of 'unsafe-eval' in the Content Security Policy allows dynamic JavaScript execution, creating potential code injection vulnerabilities. The older Manifest V2 framework provides fewer security protections than the current standard.

Recommendations:

Given the critical risk level, install this extension only in a dedicated Chrome profile used exclusively for UiPath automation tasks. Avoid using this profile for personal browsing, banking, or accessing sensitive websites. Regularly audit which websites the extension accesses and disable it when not actively performing automation work. Consider whether your organization truly requires this level of browser automation, as the security trade-offs are substantial. Monitor for updates that might migrate to Manifest V3 for improved security.

Findings

HIGH

High-Risk Permission: <all_urls>

This extension has the <all_urls> permission. Can access all websites and their content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: management

This extension has the management permission. Can manage other extensions. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

HIGH

Unsafe JavaScript Evaluation

This extension's Content Security Policy allows 'unsafe-eval', which permits dynamic JavaScript code execution using eval() and similar functions. This is a significant security risk as it could allow execution of malicious code.

MEDIUM

Older Manifest Version

This extension uses Manifest Version 2, which has fewer security restrictions than Manifest V3. Consider using extensions that have upgraded to V3.

Raw Manifest

{
  "name": "UiPath Web Automation",
  "icons": {
    "16": "uiPath16.png",
    "32": "uiPath32.png",
    "48": "uiPath48.png",
    "128": "uiPath128.png"
  },
  "version": "9.0.6827",
  "background": {
    "scripts": [
      "Loader.js"
    ]
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "UiPath component for browser interaction",
  "permissions": [
    "management",
    "nativeMessaging",
    "tabs",
    "webNavigation",
    "<all_urls>"
  ],
  "content_scripts": [
    {
      "js": [
        "ContentLoader.js"
      ],
      "run_at": "document_start",
      "matches": [
        "http://*/*",
        "https://*/*",
        "file://*/*"
      ],
      "all_frames": true
    }
  ],
  "manifest_version": 2,
  "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}

by ✦ Astarte

http://www.google.com	http://www.w3.org/1999/xhtml
http://www.w3.org/2000/svg	https://clients2.google.com/service/update2/crx

UiPath Web Automation

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (4 total):

Raw Manifest

Detections

Manifest Findings