[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Sauce for Strava™

Version 8.9.7 View in Chrome Web Store

Last scanned: about 1 hour ago

Extension Details

Developer: sauce.llc

Rating: 4.7 ★ (111 ratings)

Users: 50,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

The extension has a solid user base of 50,000 users with a high rating of 4.7 stars from 111 reviews, indicating positive user experiences. The developer "sauce.llc" appears to be a legitimate company focused on Strava enhancements. The extension uses Manifest V3, which provides better security controls than older versions. The content scripts are appropriately scoped to only Strava domains, showing good security practices.

Concerns:

The unlimited storage permission is concerning as it allows the extension to store unlimited amounts of data on your device without restrictions. While the storage and contextMenus permissions are reasonable for a Strava enhancement tool, the combination with unlimited storage could potentially be misused. The extension has broad access across all Strava pages, which while necessary for functionality, increases the attack surface if the extension were compromised.

Recommendations:

This extension appears legitimate for Strava users seeking enhanced features. The permissions align with typical functionality for fitness tracking enhancements. Monitor your device storage usage if you install this extension due to the unlimited storage capability. Consider the value of the features against the storage permissions granted. The risk is manageable for most users, but those with strict privacy requirements might want to research the specific data collection practices of sauce.llc before installation.

Findings

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

storage
unlimitedStorage
contextMenus
alarms
offscreen

Embedded URLs (142 total):

https://fonts.googleapis.com/css2?display=swap&family=Cormorant:ital	https://davidwalsh.name/detect-node-insertion
https://github.com/marcj/css-element-queries	https://www.sauce.llc/images/perf-onboarding/tdf-yellow.jpg
https://www.sauce.llc/images/perf-onboarding/breakaway.jpg	https://fonts.googleapis.com/css?family=Lato:300
https://fonts.googleapis.com/css?family=Permanent+Marker&display=swap	http://www.w3.org/2000/svg
https://fontawesome.com	https://fontawesome.com/license/free
https://doi.org/10.1007/s12283-021-00345-2	https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API
https://physfarm.com/new/?page_id=37	https://physfarm.com/new/?page_id=563
https://www.trainingpeaks.com/learn/articles/glossary-of-trainingpeaks-metrics/?utm_source=newsletter&utm_medium=partner&utm_term=sauce_trademark&utm_content=cta&utm_campaign=sauce	https://www.trainingpeaks.com/learn/articles/glossary-of-trainingpeaks-metrics/
https://lee-naish.github.io/src/posavespeed/	https://www.researchgate.net/publication/353625461
https://clients2.google.com/service/update2/crx	https://www.sauce.llc
https://www.strava.com/	https://www.strava.com/activities/
https://www.strava.com/sauce/	https://termsfeed.com/blog/gdpr/#Individual_Rights_Under_the_GDPR
https://fonts.googleapis.com/css2?family=Permanent+Marker&display=swap	https://www.sauce.llc/supporters.html
https://www.patreon.com/bePatron?u=32064618	https://chrome.google.com/webstore/detail/eigiefcapdcdmncdghkeahgfmnobigha
https://addons.mozilla.org/addon/sauce4strava	https://www.sauce.llc/release_notes
https://issues.chromium.org/issues/40774955?pli=1	http://omnipotent.net/jquery.sparkline/
http://paulirish.com/2008/bookmarklet-inject-new-css-rules/	https://bugs.webkit.org/show_bug.cgi?id=254777
https://api.sauce.llc	https://www.calorieking.com/us/en/foods/f/calories-in-ales-beers-regular-beer-5-alc/pSpIIviuRSiNzcQ-qE0b6g
https://www.calorieking.com/us/en/foods/f/calories-in-wines-pinot-noir-red-wine-10-alc/G7WQMTUCSDqj2MrWkaaHZQ	https://www.calorieking.com/us/en/foods/f/calories-in-cocktails-pina-colada-cocktail-without-cherry-or-pineapple-stick/8ymI5wtTRi2G7svkTs84cQ
https://www.calorieking.com/us/en/foods/f/calories-in-pizzas-14-pizza-cheese-topping-original-crust/OCrypuBtRY-n8kv7QpHpcw	https://www.calorieking.com/us/en/foods/f/calories-in-tacos-crunchy-taco-with-seasoned-beef/YA5wcaHGSk6K6_wRIfUoQw
https://www.calorieking.com/us/en/foods/f/calories-in-fresh-or-dried-vegetables-broccoli-raw/uhZAljTASPuU9YnkyCZdFA	https://www.calorieking.com/us/en/foods/f/calories-in-hot-fries-chips-french-fries-medium/vkBew6QlQzKVqwXSKK3AyQ
https://www.calorieking.com/us/en/foods/f/calories-in-cookies-chocolate-chip-cookie/aBntNie-R3CyA8W4Qirv9g	https://www.calorieking.com/us/en/foods/f/calories-in-fresh-or-dried-vegetables-hot-red-chili-peppers-raw/-5I3WvHlR5W6F0sMDzgD_g
https://www.calorieking.com/us/en/foods/f/calories-in-fresh-or-dried-vegetables-carrots-raw/Nxk1bCHNQwOswcZ5YlPVEg	https://www.calorieking.com/us/en/foods/f/calories-in-fresh-fruits-bananas-raw/wD01T68KTjyMTa2r5dKwYw
https://www.calorieking.com/us/en/foods/f/calories-in-pastries-butter-croissant/V5d9UkB9TtO2llw33MKIrg	https://www.calorieking.com/us/en/foods/f/calories-in-pancakes-buttermilk-pancake-prepared-from-recipe/DYlrce0YQ0aOWQcKB0GCaA
https://www.calorieking.com/us/en/foods/f/calories-in-pork-bacon-broiled-or-pan-fried/zxhpcaQUQM-zCxyIqBtt-Q	https://www.calorieking.com/us/en/foods/f/calories-in-sandwiches-burgers-quarter-pounder-burger-with-cheese/Mro3VsgMToG_GFl7QKNhaQ
https://www.calorieking.com/us/en/foods/f/calories-in-cakes-cupcake-with-icing-golden-vanilla/1gFIJ1hKS9O2sFYyOhH8Tg	https://www.calorieking.com/us/en/foods/f/calories-in-pies-tarts-apple-pie-prepared-from-recipe/-ISpM7EMT9W-PmS75yB9tw
https://www.calorieking.com/us/en/foods/f/calories-in-japanese-raw-tuna-sushi-nigiri/dRH0pXbUTO-_tklypq6u1Q	https://www.calorieking.com/us/en/foods/f/calories-in-hot-dogs-regular-w-ketchup-roll-no-mayo/l9lnkS90QXW3jp_mXzi1og
https://www.calorieking.com/us/en/foods/f/calories-in-beef-beef-ribeye-cap-steak-boneless-lean-only-grilled/r5MxHHjCQdu6crU8x9QJKg	https://www.calorieking.com/us/en/foods/f/calories-in-rice-long-grain-white-rice-cooked-without-salt/YZ5UTDL3Rwi_Ab2Z-dKM7A
https://www.calorieking.com/us/en/foods/f/calories-in-fresh-or-dried-vegetables-russet-potatoes-baked-flesh-skin/bJuwqWUgQpmwY7pxH1YRdQ	https://www.calorieking.com/us/en/foods/f/calories-in-eggs-whole-egg-fried-without-added-fat/bh_Ctob2SDyAocRIlWM2Bw
https://www.calorieking.com/us/en/foods/f/calories-in-ice-cream-vanilla-ice-cream/2_QVfiNrTZ2eKWKpkp827A	https://www.calorieking.com/us/en/foods/f/calories-in-donuts-chocolate-coated-or-frosted-cake-type-donut/L1A-Mtu9T8CjrL7fhg6_0A
https://bugzilla.mozilla.org/show_bug.cgi?id=1920169	https://www.sauce.llc/release_notes.json
https://github.com/joshcarr/largest-triangle-three-buckets.js	https://github.com/sveinn-steinarsson/flot-downsample
https://github.com/SauceLLC/sauce4strava/issues/55	https://chartjs-plugin-crosshair.netlify.com
https://chartjs-plugin-datalabels.netlify.com	https://stackoverflow.com/a/20204180/8837887
https://github.com/chartjs/chartjs-plugin-datalabels/issues/85	https://developer.mozilla.org/en-US/docs/Web/CSS/font
https://doc.qt.io/qt-5/qtglobal.html#qBound	https://github.com/chartjs/chartjs-plugin-datalabels/issues/70
https://en.wikipedia.org/wiki/Cohen	https://gamedevelopment.tutsplus.com/tutorials/collision-detection-using-the-separating-axis-theorem--gamedev-169
https://github.com/chartjs/Chart.js/issues/4176	https://github.com/chartjs/chartjs-plugin-datalabels/issues/108
https://github.com/chartjs/chartjs-plugin-datalabels/issues/29	https://github.com/chartjs/chartjs-plugin-datalabels/issues/32
https://github.com/chartjs/chartjs-plugin-datalabels/issues/42	https://git.io/fjule

Page 1 of 2

Raw Manifest

{
  "name": "Sauce for Strava™",
  "icons": {
    "16": "images/icon16.png",
    "32": "images/icon32.png",
    "48": "images/icon48.png",
    "64": "images/icon64.png",
    "128": "images/icon128.png",
    "256": "images/icon256.png"
  },
  "action": {
    "default_icon": {
      "19": "images/icon19.png",
      "38": "images/icon38.png",
      "48": "images/icon48.png",
      "64": "images/icon64.png",
      "128": "images/icon128.png",
      "256": "images/icon256.png"
    },
    "default_popup": "pages/options.html?popup",
    "default_title": "Sauce for Strava™"
  },
  "author": "Sauce, LLC",
  "version": "8.9.7",
  "background": {
    "type": "module",
    "service_worker": "src/bg/main.mjs"
  },
  "options_ui": {
    "page": "pages/options.html",
    "open_in_tab": true
  },
  "short_name": "Sauce",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_app_desc__",
  "permissions": [
    "storage",
    "unlimitedStorage",
    "contextMenus",
    "alarms",
    "offscreen"
  ],
  "homepage_url": "https://www.sauce.llc",
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "src/ext/webext.js",
        "src/common/base.js",
        "src/common/base_init.js",
        "src/common/proxy.js",
        "src/ext/proxy.js",
        "src/common/storage.js",
        "src/ext/storage.js",
        "src/ext/locale.js",
        "src/ext/boot.js"
      ],
      "run_at": "document_start",
      "matches": [
        "https://www.strava.com/*"
      ]
    },
    {
      "js": [
        "src/site/base.js",
        "src/site/preloader.js",
        "src/site/base_init.js"
      ],
      "world": "MAIN",
      "run_at": "document_start",
      "matches": [
        "https://www.strava.com/*"
      ]
    },
    {
      "js": [
        "src/site/export_activity_photos.js"
      ],
      "world": "MAIN",
      "run_at": "document_start",
      "matches": [
        "https://www.strava.com/activities/*"
      ]
    },
    {
      "css": [
        "css/common.css"
      ],
      "run_at": "document_start",
      "matches": [
        "https://www.strava.com/*"
      ]
    },
    {
      "css": [
        "css/repurpose.css"
      ],
      "run_at": "document_start",
      "matches": [
        "https://www.strava.com/sauce/*"
      ]
    }
  ],
  "manifest_version": 3,
  "minimum_chrome_version": "120",
  "web_accessible_resources": [
    {
      "matches": [
        "https://www.strava.com/*"
      ],
      "resources": [
        "build.json",
        "src/*",
        "lib/*",
        "css/*",
        "templates/*",
        "images/*",
        "pages/*"
      ]
    }
  ]
}

by ✦ Astarte

Sauce for Strava™

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Embedded URLs (142 total):

Raw Manifest

Detections

Manifest Findings