[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Yet Another REST Client

Version 1.3.0 View in Chrome Web Store

Last scanned: about 7 hours ago

Extension Details

Developer: http://yet-another-rest-client.com/

Rating: 4.4 ★ (139 ratings)

Users: 60,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a solid user base of 60,000 users and maintains a good rating of 4.4 stars from 139 reviews, indicating general user satisfaction. The name "Yet Another REST Client" clearly describes its purpose as an API testing tool, and it has an associated website, which adds some legitimacy. However, the developer information is minimal, providing limited transparency about the company or individual behind the extension.

Concerns:

The primary concern is the combination of broad host permissions (<all_urls>) with clipboard write access, creating a potentially dangerous attack surface. While these permissions may be necessary for a REST client to function across different APIs and copy response data, they also enable the extension to access any website you visit and modify your clipboard contents. The unlimited storage permission, while less critical, could be used to store large amounts of potentially sensitive data from API responses.

Recommendations:

Given the high-risk permission combination, consider running this extension in a separate Chrome profile dedicated to development work. This isolates it from your personal browsing and sensitive accounts. Before installation, verify the extension's legitimacy by checking its official website and reviews for any security concerns. Monitor your clipboard contents when using the extension, and consider using alternative REST clients with more limited permissions if this extension's functionality can be replaced. Regularly review what data the extension has stored and clear it if no longer needed.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: clipboardWrite

This extension has the clipboardWrite permission. Can modify clipboard content. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

clipboardWrite
storage
unlimitedStorage

Host Permissions:

<all_urls>

Embedded URLs (2423 total):

http://yet-another-rest-client.com	https://github.com/paulhitz/angular-bootstrap-file-field#master
https://chrome.google.com/webstore/detail/yarc-yet-another-rest-cli/ehafadccdcdedbhcbddihehiodgcddpl	https://chrome.google.com/webstore/detail/yarc-yet-another-rest-cli/ehafadccdcdedbhcbddihehiodgcddpl/reviews
https://chrome.google.com/webstore/detail/yarc-yet-another-rest-cli/ehafadccdcdedbhcbddihehiodgcddpl/support	https://developer.chrome.com/apps/storage#properties
https://npmjs.org/browse/keyword/karma-adapter	https://npmjs.org/browse/keyword/karma-preprocessor
https://npmjs.org/browse/keyword/karma-reporter	https://npmjs.org/browse/keyword/karma-launcher
http://angularjs.org	https://errors.angularjs.org/1.8.3/
http://msdn.microsoft.com/en-us/library/ie/cc196988	http://www.ecma-international.org/ecma-262/5.1/#sec-15.4.4.18
https://lodash.com/docs/4.17.4#merge	https://developer.mozilla.org/docs/Web/API/Blob
https://developer.mozilla.org/docs/Web/API/MediaStream	https://developer.mozilla.org/docs/Web/API/CanvasGradient
http://jsperf.com/isobject4	https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/isFinite
https://www.npmjs.com/package/iserror	http://docs.closure-library.googlecode.com/git/local_closure_goog_string_string.js.source.html#line1021
https://developer.mozilla.org/docs/Web/API/File	https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Map
https://developer.mozilla.org/docs/Web/API/ImageData	https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Set
https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/WeakMap	https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/get
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/set	http://en.wikipedia.org/wiki/Partial_application
http://en.wikipedia.org/wiki/Currying#Contrast_with_partial_function_application	https://github.com/angular/angular.js/pull/14221
http://www.ietf.org/rfc/rfc3986.txt	http://tools.ietf.org/html/rfc3986:
https://jquery.com/upgrade-guide/3.5/	http://jsperf.com/object-create2
http://jsperf.com/proto-map-lookup/2	http://jsperf.com/for-in-vs-object-keys2
http://jquery.com	http://api.jquery.com/jQuery/
http://api.jquery.com/addClass/	http://api.jquery.com/after/
http://api.jquery.com/append/	http://api.jquery.com/attr/
http://api.jquery.com/bind/	http://api.jquery.com/on/
http://api.jquery.com/children/	http://api.jquery.com/clone/
http://api.jquery.com/contents/	http://api.jquery.com/css/
http://api.jquery.com/data/	http://api.jquery.com/detach/
http://api.jquery.com/empty/	http://api.jquery.com/eq/
http://api.jquery.com/find/	http://api.jquery.com/hasClass/
http://api.jquery.com/html/	http://api.jquery.com/next/
http://api.jquery.com/off/	http://api.jquery.com/one/
http://api.jquery.com/parent/	http://api.jquery.com/prepend/
http://api.jquery.com/prop/	http://api.jquery.com/ready/
http://api.jquery.com/remove/	http://api.jquery.com/removeAttr/
http://api.jquery.com/removeClass/	http://api.jquery.com/removeData/
http://api.jquery.com/replaceWith/	http://api.jquery.com/text/
http://api.jquery.com/toggleClass/	http://api.jquery.com/triggerHandler/
http://api.jquery.com/unbind/	http://api.jquery.com/val/
http://api.jquery.com/wrap/	https://github.com/angular/angular.js/issues/14251
http://docs.angularjs.org/api/angular.element	http://www.quirksmode.org/js/events_mouse.html#link8
http://jsperf.com/string-indexof-vs-split	https://kangax.github.io/compat-table/es6/#test-Map

Page 1 of 31

Raw Manifest

{
  "name": "Yet Another REST Client",
  "icons": {
    "16": "img/logo_16x16.png",
    "48": "img/logo_48x48.png",
    "128": "img/logo_128x128.png"
  },
  "action": {
    "default_icon": {
      "19": "img/logo_19x19.png",
      "38": "img/logo_38x38.png"
    }
  },
  "author": "Paul Hitz",
  "version": "1.3.0",
  "incognito": "split",
  "background": {
    "service_worker": "extension/background.js"
  },
  "short_name": "YARC",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "YARC (Yet Another REST Client) is an easy-to-use REST Client. Use it to develop, test and debug RESTful APIs.",
  "permissions": [
    "clipboardWrite",
    "storage",
    "unlimitedStorage"
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

by ✦ Astarte

Yet Another REST Client

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (2423 total):

Raw Manifest

Detections

Manifest Findings