Extension Details
Context-Aware Verdict
The extension has a solid 4.5-star rating from 24 reviews and is developed by TimeTackle Inc, suggesting legitimate business backing. However, the relatively low user count of 2,000 users indicates limited adoption, which could mean less community vetting. The extension appears to be a time tracking tool that integrates with Google Calendar based on its permissions and host access patterns.
The primary concern is the broad host permissions that allow access to multiple domains including the developer's own app domains and Google Calendar. While the Google Calendar access aligns with the extension's apparent time tracking functionality, the combination of activeTab permission with broad host access creates potential for data collection beyond what's necessary. The storage permission, while common, adds to the data handling capabilities. The extension can inject content scripts into Google Calendar pages, which could potentially access sensitive calendar information.
Given the medium risk level, consider running this extension in a separate Chrome profile if you handle highly sensitive information in your browser. Before installation, verify that TimeTackle Inc is a legitimate company and review their privacy policy to understand data handling practices. Monitor the extension's behavior after installation and revoke permissions if you notice unexpected activity. Consider whether the time tracking functionality justifies the broad access permissions requested.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- scripting
- storage
Host Permissions:
- https://app.timetackle.com/*
- https://app2.timetackle.com/*
- https://calendar.google.com/*
Embedded URLs (58 total):
| https://1c01b1a70ea843718c348db0ded1a6bc@o566424.ingest.us.sentry.io/5710362 | https://app2.timetackle.com/ext-google-auth-success-callback.html | |
| https://app.timetackle.com/api/chrome_ext | https://core.timetackle.com | |
| http://www.w3.org/2000/svg | https://npms.io/search?q=ponyfill. | |
| http://fb.me/use-check-prop-types | https://app2.timetackle.com/sign-in/chrome-ext?from=tag_extension&vendor=GOOGLE | |
| https://reactjs.org/link/react-polyfills | https://app2.timetackle.com/login.html | |
| https://calendar.google.com/calendar/ | https://app2.timetackle.com/ | |
| http://www.example.com | https://reactjs.org/docs/error-decoder.html?invariant= | |
| https://app2.timetackle.com | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1999/xhtml | |
| http://www.w3.org/1998/Math/MathML | https://socket.io/docs/v3/migrating-from-2-x-to-3-0/ | |
| https://ws.timetackle.com | https://www.timetackle.com/terms-of-service/ | |
| https://www.timetackle.com/privacy-policy/ | https://www.timetackle.com/request-demo/ | |
| https://www.timetackle.com/features/enterprise-grade-security | https://www.youtube.com/watch?v=2EMBihoU4QA | |
| https://app2.timetackle.com/apps/all?type=Data_Source | https://tailwindcss.com | |
| https://staging-dot-timetackle.ue.r.appspot.com/ext-login-oauth-success-callback | https://app.timetackle.com/googleV2? | |
| https://app.timetackle.com/google? | https://app2.timetackle.com/ext-login-oauth-success-callback | |
| https://calendar.google.com/calendar | https://outlook.office.com/calendar | |
| https://intercom.help/timetackle-com/en/ | https://timetackle.canny.io/feature-request | |
| https://fonts.googleapis.com/css2?family=Inter&display=swap | https://stackoverflow.com/q/20007992 | |
| https://connect.timetackle.com/api | https://fb.me/react-async-component-lifecycle-hooks | |
| https://app.timetackle.com/login | https://timetackle.notion.site/Data-Settings-736b298d69e545e9b4d60a8ca7fa368f | |
| https://redux.js.org/Errors?code= | https://app2.timetackle.com/apps/all?type=all | |
| https://app2.timetackle.com/settings/tag-management/manage-tags?from=chrome_ext | https://app2.timetackle.com/settings/calendar-management/calendars?from=chrome_ext | |
| https://animate.style/ | http://opensource.org/licenses/MIT | |
| http://jedwatson.github.io/classnames | https://github.com/babel/babel/blob/main/packages/babel-helpers/LICENSE | |
| https://lodash.com/ | https://openjsf.org/ | |
| https://lodash.com/license | http://underscorejs.org/LICENSE | |
| https://www.timetackle.com/tackle-chrome-extension-installed-option-1/ | https://clients2.google.com/service/update2/crx | |
| https://app.timetackle.com/ | https://calendar.google.com/ |
Raw Manifest
{ "name": "Tackle", "icons": { "16": "assets/img/16.png", "32": "assets/img/16.png", "48": "assets/img/16.png", "128": "assets/img/16.png" }, "action": { "default_icon": { "16": "assets/img/16.png", "32": "assets/img/16.png", "48": "assets/img/16.png", "128": "assets/img/16.png" }, "default_popup": "popup.html", "default_title": "Tackle" }, "author": "AK Syam <syam@timetackle.com>", "version": "9.24.0", "background": { "service_worker": "background.js" }, "short_name": "Tackle", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Automatic Google Calendar time tracking and productivity insights", "permissions": [ "activeTab", "scripting", "storage" ], "content_scripts": [ { "js": [ "content.js", "assets/vendor/crypto.aes.min.js", "assets/vendor/crypto.aes.custom.js" ], "run_at": "document_end", "matches": [ "https://calendar.google.com/calendar/*" ], "all_frames": false, "match_about_blank": false } ], "host_permissions": [ "https://app.timetackle.com/*", "https://app2.timetackle.com/*", "https://calendar.google.com/*" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "https://calendar.google.com/*", "https://app2.timetackle.com/*" ], "resources": [ "assets/*" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.