[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

LingQ Importer

Version 2.3.36 View in Chrome Web Store

Last scanned: about 11 hours ago

Extension Details

Developer: http://lingq.com/

Rating: 3.2 ★ (51 ratings)

Users: 100,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension comes from LingQ.com, a legitimate language learning platform with an established online presence. With 100,000 users, it has a reasonable user base, though the 3.2-star rating from 51 reviews suggests mixed user experiences. The specific host permissions limited to LingQ's API endpoints show some restraint in scope.

Concerns:

The cookies permission is particularly concerning as it allows access to authentication tokens and session data across websites. Combined with content script injection on major streaming platforms (Netflix, Prime Video, YouTube), this creates potential for unauthorized data collection. The activeTab permission, while common, adds another layer of access to sensitive browsing data. The broad content script permissions across popular entertainment platforms seem excessive for a language learning tool's core functionality.

The security findings correctly identify the high-risk nature of the cookies permission and the broad host access patterns. The combination of these permissions with content script injection capabilities on major platforms creates significant privacy and security exposure.

Recommendations:

Consider running this extension in a separate Chrome profile to isolate it from your primary browsing session and sensitive accounts. Review the extension's actual functionality to determine if the streaming platform access is necessary for your use case. Monitor your browser's cookie activity and consider clearing cookies regularly when using this extension. If possible, use LingQ's web interface directly rather than the extension to minimize permission exposure.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

activeTab
cookies
storage
scripting

Host Permissions:

https://www.lingq.com/api/*

Embedded URLs (17 total):

https://github.com/select2/select2/blob/master/LICENSE.md	https://github.com/jpillora/xhook
https://www.lingq.com/api	http://www.w3.org/2000/svg
http://www.w3.org/1999/xlink	https://vecta.io/nano
https://www.lingq.com/accounts/login/	https://forum.lingq.com/t/how-to-import-youtube-videos-without-captions/641794
https://www.youtube.com/youtubei/v1/player?prettyPrint=false	https://www.netflix.com/watch/
https://www.primevideo.com	https://clients2.google.com/service/update2/crx
https://www.lingq.com/	https://www.lingq.com/api/
https://www.irrelon.com	https://github.com/irrelon/jquery-lang-js
https://www.fontsquirrel.com

Raw Manifest

{
  "name": "LingQ Importer",
  "icons": {
    "16": "icons/LingQ-16x16.png",
    "48": "icons/LingQ-48x48.png",
    "64": "icons/LingQ-64x64.png",
    "128": "icons/LingQ-128x128.png"
  },
  "action": {
    "default_icon": "icons/toolbar-icon.png",
    "default_popup": "popup.html",
    "default_title": "LingQ"
  },
  "version": "2.3.36",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Automatically import foreign language content from the web & study it with LingQ's web & mobile language learning apps.",
  "permissions": [
    "activeTab",
    "cookies",
    "storage",
    "scripting"
  ],
  "homepage_url": "https://www.lingq.com/",
  "content_scripts": [
    {
      "js": [
        "netflix/contentscript.js",
        "netflix/inject.js"
      ],
      "run_at": "document_start",
      "matches": [
        "https://*.netflix.com/*"
      ],
      "all_frames": false
    },
    {
      "js": [
        "primevideo/contentscript.js",
        "primevideo/inject.js"
      ],
      "run_at": "document_start",
      "matches": [
        "https://*.primevideo.com/*"
      ],
      "all_frames": false
    },
    {
      "js": [
        "youtube/contentscript.js",
        "youtube/inject.js"
      ],
      "run_at": "document_start",
      "matches": [
        "https://*.youtube.com/*"
      ],
      "all_frames": false
    }
  ],
  "host_permissions": [
    "https://www.lingq.com/api/*"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "https://*.netflix.com/*"
      ],
      "resources": [
        "netflix/worker.js"
      ]
    },
    {
      "matches": [
        "https://*.primevideo.com/*"
      ],
      "resources": [
        "primevideo/worker.js",
        "xhook.min.js"
      ]
    },
    {
      "matches": [
        "https://*.youtube.com/*"
      ],
      "resources": [
        "youtube/worker.js"
      ]
    },
    {
      "matches": [
        "https://*.lingq.com/*"
      ],
      "resources": [
        "version.json"
      ]
    }
  ]
}

by ✦ Astarte

LingQ Importer

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (17 total):

Raw Manifest

Detections

Manifest Findings