[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Open Local Files in Google Chrome™

Version 1.0.2 View in Chrome Web Store

Last scanned: about 4 hours ago

Extension Details

Rating: 2.5 ★ (17 ratings)

Users: 4,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has very limited adoption with only 4,000 users and a concerning 2.5-star rating from just 17 reviews, suggesting user dissatisfaction. The lack of developer information and company details raises transparency concerns. The extension's purpose of opening local files is legitimate, but the implementation appears problematic based on user feedback.

Concerns:

The most significant concern is the broad content script injection capability across all websites (*://*/*), which is excessive for an extension designed to open local files. This permission allows the extension to access and modify any website you visit, potentially capturing sensitive information like passwords, banking details, or personal data. The storage permission, while less concerning, could be used to persist stolen data. The combination of low user satisfaction and overly broad permissions suggests poor development practices or potentially malicious intent.

Recommendations:

Given the high-risk permissions and poor user ratings, consider running this extension in a completely separate Chrome profile if you must use it. Better alternatives would be to use Chrome's built-in file opening capabilities or look for well-established extensions with better ratings and more transparent developers. If you proceed, monitor your browsing carefully and consider removing the extension after use. The broad website access is unnecessary for local file operations and represents a significant security risk.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

storage

Embedded URLs (18 total):

https://developer.mozilla.org/ja/docs/Web/API/Event/isTrusted	https://chrome.google.com/webstore/detail/
https://getbootstrap.com/	https://github.com/twbs/bootstrap/blob/master/LICENSE
http://www.w3.org/2000/svg	https://fontawesome.com
https://fontawesome.com/license/free	https://clients2.google.com/service/update2/crx
https://open-local-files.freespeedcheck.net/	http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd
http://www.w3.org/1999/xlink	http://purl.org/dc/elements/1.1/
http://creativecommons.org/ns#	http://www.w3.org/1999/02/22-rdf-syntax-ns#
http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd	http://www.inkscape.org/namespaces/inkscape
http://purl.org/dc/dcmitype/StillImage	http://www.bohemiancoding.com/sketch

Raw Manifest

{
  "name": "__MSG_appName__",
  "icons": {
    "16": "images/icon-16.png",
    "128": "images/icon-128.png"
  },
  "action": {
    "default_icon": {
      "19": "images/icon-19.png",
      "38": "images/icon-38.png"
    },
    "default_popup": "pages/popup.html",
    "default_title": "__MSG_browserActionTitle__"
  },
  "version": "1.0.2",
  "background": {
    "service_worker": "scripts/background.js"
  },
  "short_name": "__MSG_appShortName__",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_appDescription__",
  "permissions": [
    "storage"
  ],
  "homepage_url": "https://open-local-files.freespeedcheck.net/",
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "scripts/content.js"
      ],
      "run_at": "document_end",
      "matches": [
        "*://*/*"
      ],
      "all_frames": true
    }
  ],
  "offline_enabled": true,
  "manifest_version": 3
}

by ✦ Astarte