Extension Details
Developer:
http://yet-another-rest-client.com/
Rating:
4.4 ★
(138 ratings)
Users:
60,000
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
HIGH
Overall Risk
Trust Factors: The extension has a reasonable user base of 60,000 users and a solid 4.4-star rating from 138 reviews, suggesting legitimate functionality. The name "Yet Another REST Client" clearly indicates its purpose as a development tool for API testing. However, the developer information is minimal, with only a website URL provided and no clear company identification.
Concerns: The combination of clipboardWrite permission with broad host access (<all_urls>) creates significant security risks. While clipboard access might be justified for copying API responses or request data, the ability to modify clipboard content across all websites could enable malicious data injection. The unlimited storage permission, while potentially useful for storing API test data, combined with broad host access could facilitate extensive data collection. The <all_urls> permission is particularly concerning as it grants access to sensitive sites including banking, email, and other personal services, which seems excessive for a REST client tool.
Recommendations: Consider running this extension in a separate Chrome profile dedicated to development work to isolate it from personal browsing. Alternatively, look for REST client alternatives that operate as standalone applications or browser-based tools without requiring broad permissions. If you must use this extension, regularly review what data it has stored and consider disabling it when not actively developing APIs. Monitor your clipboard content after using the extension to ensure no unexpected modifications occur.
Findings
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
HIGH
High-Risk Permission: clipboardWrite
This extension has the clipboardWrite permission. Can modify clipboard content. This could potentially be used maliciously to compromise security or privacy.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
MEDIUM
Medium-Risk Permission: unlimitedStorage
This extension has the unlimitedStorage permission. Can store unlimited data locally.
Security Analysis Details
Required Permissions:
- clipboardWrite
- storage
- unlimitedStorage
Host Permissions:
- <all_urls>
Embedded URLs (2423 total):
| http://yet-another-rest-client.com | https://github.com/paulhitz/angular-bootstrap-file-field#master | |
| https://chrome.google.com/webstore/detail/yarc-yet-another-rest-cli/ehafadccdcdedbhcbddihehiodgcddpl | https://chrome.google.com/webstore/detail/yarc-yet-another-rest-cli/ehafadccdcdedbhcbddihehiodgcddpl/reviews | |
| https://chrome.google.com/webstore/detail/yarc-yet-another-rest-cli/ehafadccdcdedbhcbddihehiodgcddpl/support | https://developer.chrome.com/apps/storage#properties | |
| https://npmjs.org/browse/keyword/karma-adapter | https://npmjs.org/browse/keyword/karma-preprocessor | |
| https://npmjs.org/browse/keyword/karma-reporter | https://npmjs.org/browse/keyword/karma-launcher | |
| http://angularjs.org | https://errors.angularjs.org/1.8.3/ | |
| http://msdn.microsoft.com/en-us/library/ie/cc196988 | http://www.ecma-international.org/ecma-262/5.1/#sec-15.4.4.18 | |
| https://lodash.com/docs/4.17.4#merge | https://developer.mozilla.org/docs/Web/API/Blob | |
| https://developer.mozilla.org/docs/Web/API/MediaStream | https://developer.mozilla.org/docs/Web/API/CanvasGradient | |
| http://jsperf.com/isobject4 | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/isFinite | |
| https://www.npmjs.com/package/iserror | http://docs.closure-library.googlecode.com/git/local_closure_goog_string_string.js.source.html#line1021 | |
| https://developer.mozilla.org/docs/Web/API/File | https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Map | |
| https://developer.mozilla.org/docs/Web/API/ImageData | https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Set | |
| https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/WeakMap | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/get | |
| https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/set | http://en.wikipedia.org/wiki/Partial_application | |
| http://en.wikipedia.org/wiki/Currying#Contrast_with_partial_function_application | https://github.com/angular/angular.js/pull/14221 | |
| http://www.ietf.org/rfc/rfc3986.txt | http://tools.ietf.org/html/rfc3986: | |
| https://jquery.com/upgrade-guide/3.5/ | http://jsperf.com/object-create2 | |
| http://jsperf.com/proto-map-lookup/2 | http://jsperf.com/for-in-vs-object-keys2 | |
| http://jquery.com | http://api.jquery.com/jQuery/ | |
| http://api.jquery.com/addClass/ | http://api.jquery.com/after/ | |
| http://api.jquery.com/append/ | http://api.jquery.com/attr/ | |
| http://api.jquery.com/bind/ | http://api.jquery.com/on/ | |
| http://api.jquery.com/children/ | http://api.jquery.com/clone/ | |
| http://api.jquery.com/contents/ | http://api.jquery.com/css/ | |
| http://api.jquery.com/data/ | http://api.jquery.com/detach/ | |
| http://api.jquery.com/empty/ | http://api.jquery.com/eq/ | |
| http://api.jquery.com/find/ | http://api.jquery.com/hasClass/ | |
| http://api.jquery.com/html/ | http://api.jquery.com/next/ | |
| http://api.jquery.com/off/ | http://api.jquery.com/one/ | |
| http://api.jquery.com/parent/ | http://api.jquery.com/prepend/ | |
| http://api.jquery.com/prop/ | http://api.jquery.com/ready/ | |
| http://api.jquery.com/remove/ | http://api.jquery.com/removeAttr/ | |
| http://api.jquery.com/removeClass/ | http://api.jquery.com/removeData/ | |
| http://api.jquery.com/replaceWith/ | http://api.jquery.com/text/ | |
| http://api.jquery.com/toggleClass/ | http://api.jquery.com/triggerHandler/ | |
| http://api.jquery.com/unbind/ | http://api.jquery.com/val/ | |
| http://api.jquery.com/wrap/ | https://github.com/angular/angular.js/issues/14251 | |
| http://docs.angularjs.org/api/angular.element | http://www.quirksmode.org/js/events_mouse.html#link8 | |
| http://jsperf.com/string-indexof-vs-split | https://kangax.github.io/compat-table/es6/#test-Map |
Page 1 of 31
Raw Manifest
{ "name": "Yet Another REST Client", "icons": { "16": "img/logo_16x16.png", "48": "img/logo_48x48.png", "128": "img/logo_128x128.png" }, "action": { "default_icon": { "19": "img/logo_19x19.png", "38": "img/logo_38x38.png" } }, "author": "Paul Hitz", "version": "1.3.0", "incognito": "split", "background": { "service_worker": "extension/background.js" }, "short_name": "YARC", "update_url": "https://clients2.google.com/service/update2/crx", "description": "YARC (Yet Another REST Client) is an easy-to-use REST Client. Use it to develop, test and debug RESTful APIs.", "permissions": [ "clipboardWrite", "storage", "unlimitedStorage" ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3 }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
Loading Secure Annex data...
Unable to load Secure Annex data.
This extension may not yet be analyzed by Secure Annex.
Detections
0Critical
0
High
0
Medium
0
Low
0
Has Verdicts
Yes
Manifest Findings
0Critical
0
High
0
Medium
0
Low
0
Secure Annex analyzed version: -