[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Dash Highlighter

Version 1.0 View in Chrome Web Store

Last scanned: 7 days ago | force re-scan

Extension Details

Rating: 5.0 ★ (1 rating)

Users: 11

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has extremely limited adoption with only 11 users and a single 5-star rating, making it difficult to assess reliability. The lack of developer information, company details, and recent update history raises significant transparency concerns. The extension appears to be a text highlighting tool, but the minimal user base suggests it hasn't been thoroughly vetted by the community.

Concerns:

The most significant concern is the combination of broad host permissions (<all_urls>) and content script injection capabilities across all websites. For a simple highlighting tool, these permissions are excessive and unnecessary. The extension can access and modify content on every website you visit, including sensitive sites like banking, email, and social media platforms. This creates substantial privacy and security risks, as the extension could potentially capture passwords, personal information, or browsing habits. The storage permission, while less concerning, allows data collection and retention.

Recommendations:

Given the high-risk permissions and lack of established trust factors, consider running this extension in a separate Chrome profile isolated from your main browsing activities. Alternatively, look for more established highlighting extensions with better security practices and larger user bases. If you must use this extension, avoid accessing sensitive websites while it's active, and regularly review what data it might be storing through Chrome's extension management settings.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "Dash Highlighter",
  "icons": {
    "16": "icon16.png",
    "48": "icon48.png",
    "128": "icon128.png"
  },
  "version": "1.0",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Highlights en dashes and em dashes on web pages",
  "permissions": [
    "storage"
  ],
  "options_page": "options.html",
  "content_scripts": [
    {
      "js": [
        "constants.js",
        "content.js"
      ],
      "run_at": "document_end",
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

by ✦ Astarte

https://github.com/	https://github.com/hubwriter/github-dash-highlighter/blob/main/test.html
https://example.com/	https://test.com/
https://clients2.google.com/service/update2/crx

Dash Highlighter

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (5 total):

Raw Manifest

Detections

Manifest Findings