[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Dash Highlighter

Version 1.0 View in Chrome Web Store

Last scanned: about 8 hours ago

Extension Details

Rating: 5.0 ★ (1 rating)

Users: 10

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has extremely limited trust indicators with only 10 users and a single 5-star rating, which is insufficient to establish credibility. The lack of developer information, company details, and recent update history raises significant transparency concerns. The generic name "Dash Highlighter" provides little insight into the extension's actual functionality or legitimate purpose.

Concerns:

The extension exhibits several red flags that are disproportionate to what appears to be a simple highlighting tool. The combination of broad host permissions covering all websites and content script injection capabilities across the entire web creates an extensive attack surface. These permissions would allow the extension to access sensitive information on banking sites, social media platforms, email services, and any other websites you visit. The storage permission, while less concerning individually, could be used to collect and retain harvested data. The minimal user base and lack of developer transparency make it impossible to verify the extension's intentions or security practices.

Recommendations:

Given the high risk profile, avoid installing this extension entirely. If highlighting functionality is needed, seek established alternatives from reputable developers with transparent backgrounds and substantial user bases. The broad permissions combined with minimal trust indicators suggest this could be a data harvesting tool disguised as a utility. Consider using browser-native highlighting features or well-reviewed extensions with more limited, appropriate permissions for their stated functionality.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "Dash Highlighter",
  "icons": {
    "16": "icon16.png",
    "48": "icon48.png",
    "128": "icon128.png"
  },
  "version": "1.0",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Highlights en dashes and em dashes on web pages",
  "permissions": [
    "storage"
  ],
  "options_page": "options.html",
  "content_scripts": [
    {
      "js": [
        "constants.js",
        "content.js"
      ],
      "run_at": "document_end",
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

by ✦ Astarte

https://github.com/	https://github.com/hubwriter/github-dash-highlighter/blob/main/test.html
https://example.com/	https://test.com/
https://clients2.google.com/service/update2/crx

Dash Highlighter

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (5 total):

Raw Manifest

Detections

Manifest Findings