Starting analysis...
Extension Details
Context-Aware Verdict
The extension is developed by TimeTackle Inc, which appears to be a legitimate time tracking company based on the domain permissions and functionality. With 3,000 users and a solid 4.5-star rating from 24 reviews, it shows reasonable adoption and user satisfaction. The extension uses Manifest V3, indicating compliance with modern Chrome security standards. The version number (9.26.0) suggests active development and maintenance.
The primary concern is the broad host permissions that extend beyond what appears necessary for a time tracking tool. While access to Google Calendar makes sense for time tracking integration, the extension's permissions could theoretically be misused to access sensitive data across multiple domains. The activeTab permission, while common, allows the extension to interact with whatever page you're currently viewing when activated. The storage permission enables local data retention, which could include sensitive time tracking or calendar information.
Given the medium risk level, consider running this extension in a separate Chrome profile if you handle highly sensitive information in your browser. Before installation, verify that TimeTackle Inc is indeed the legitimate company behind your time tracking service. Monitor the extension's behavior and revoke permissions if you notice any unexpected activity. Regularly review what data the extension has access to through Chrome's extension management settings. The risk is manageable for users who specifically need TimeTackle's time tracking functionality and trust the company.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- scripting
- storage
Host Permissions:
- https://app.timetackle.com/*
- https://app2.timetackle.com/*
- https://calendar.google.com/*
Embedded URLs (58 total):
| https://1c01b1a70ea843718c348db0ded1a6bc@o566424.ingest.us.sentry.io/5710362 | https://app2.timetackle.com/ext-google-auth-success-callback.html | |
| https://app.timetackle.com/api/chrome_ext | https://core.timetackle.com | |
| http://www.w3.org/2000/svg | https://npms.io/search?q=ponyfill. | |
| http://fb.me/use-check-prop-types | https://app2.timetackle.com/sign-in/chrome-ext?from=tag_extension&vendor=GOOGLE | |
| https://reactjs.org/link/react-polyfills | https://app2.timetackle.com/login.html | |
| https://calendar.google.com/calendar/ | https://app2.timetackle.com/ | |
| http://www.example.com | https://reactjs.org/docs/error-decoder.html?invariant= | |
| https://app2.timetackle.com | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1999/xhtml | |
| http://www.w3.org/1998/Math/MathML | https://socket.io/docs/v3/migrating-from-2-x-to-3-0/ | |
| https://ws.timetackle.com | https://www.timetackle.com/terms-of-service/ | |
| https://www.timetackle.com/privacy-policy/ | https://www.timetackle.com/request-demo/ | |
| https://www.timetackle.com/features/enterprise-grade-security | https://www.youtube.com/watch?v=2EMBihoU4QA | |
| https://app2.timetackle.com/apps/all?type=Data_Source | https://tailwindcss.com | |
| https://staging-dot-timetackle.ue.r.appspot.com/ext-login-oauth-success-callback | https://app.timetackle.com/googleV2? | |
| https://app.timetackle.com/google? | https://app2.timetackle.com/ext-login-oauth-success-callback | |
| https://calendar.google.com/calendar | https://outlook.office.com/calendar | |
| https://intercom.help/timetackle-com/en/ | https://timetackle.canny.io/feature-request | |
| https://fonts.googleapis.com/css2?family=Inter&display=swap | https://stackoverflow.com/q/20007992 | |
| https://connect.timetackle.com/api | https://fb.me/react-async-component-lifecycle-hooks | |
| https://app.timetackle.com/login | https://timetackle.notion.site/Data-Settings-736b298d69e545e9b4d60a8ca7fa368f | |
| https://redux.js.org/Errors?code= | https://app2.timetackle.com/apps/all?type=all | |
| https://app2.timetackle.com/settings/tag-management/manage-tags?from=chrome_ext | https://app2.timetackle.com/settings/calendar-management/calendars?from=chrome_ext | |
| https://animate.style/ | http://opensource.org/licenses/MIT | |
| http://jedwatson.github.io/classnames | https://github.com/babel/babel/blob/main/packages/babel-helpers/LICENSE | |
| https://lodash.com/ | https://openjsf.org/ | |
| https://lodash.com/license | http://underscorejs.org/LICENSE | |
| https://www.timetackle.com/tackle-chrome-extension-installed-option-1/ | https://clients2.google.com/service/update2/crx | |
| https://app.timetackle.com/ | https://calendar.google.com/ |
Raw Manifest
{ "name": "Tackle", "icons": { "16": "assets/img/16.png", "32": "assets/img/16.png", "48": "assets/img/16.png", "128": "assets/img/16.png" }, "action": { "default_icon": { "16": "assets/img/16.png", "32": "assets/img/16.png", "48": "assets/img/16.png", "128": "assets/img/16.png" }, "default_popup": "popup.html", "default_title": "Tackle" }, "author": "AK Syam <syam@timetackle.com>", "version": "9.26.0", "background": { "service_worker": "background.js" }, "short_name": "Tackle", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Automatic Google Calendar time tracking and productivity insights", "permissions": [ "activeTab", "scripting", "storage" ], "content_scripts": [ { "js": [ "content.js", "assets/vendor/crypto.aes.min.js", "assets/vendor/crypto.aes.custom.js" ], "run_at": "document_end", "matches": [ "https://calendar.google.com/calendar/*" ], "all_frames": false, "match_about_blank": false } ], "host_permissions": [ "https://app.timetackle.com/*", "https://app2.timetackle.com/*", "https://calendar.google.com/*" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "https://calendar.google.com/*", "https://app2.timetackle.com/*" ], "resources": [ "assets/*" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.