[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Psono - Free Password Manager

Version 4.4.0 View in Chrome Web Store

Last scanned: about 6 hours ago

Extension Details

Developer: psono.com

Rating: 4.6 ★ (16 ratings)

Users: 10,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension has a moderate user base of 10,000 users and a good rating of 4.6/5, which suggests legitimate functionality. However, the limited number of reviews (16) relative to users raises some questions about engagement. The developer domain psono.com appears to be a legitimate password management service, which aligns with the extension's stated purpose.

Concerns:

The extension requests extremely broad permissions that, while potentially necessary for a password manager, create significant security risks. The combination of identity access, privacy settings modification, web request interception, and universal website access creates a powerful attack surface. The ability to inject content scripts into all websites and intercept web requests means this extension could theoretically capture any data you enter online. The clipboard write permission, while useful for password filling, could be misused to inject malicious content.

Recommendations:

Given the critical risk level, consider running this extension in a completely separate Chrome profile dedicated only to password management activities. Alternatively, evaluate well-established password managers with stronger security track records and more transparent development practices. If you choose to use this extension, avoid using it while accessing sensitive financial or personal accounts, and regularly audit what data it has access to. Consider using browser-based password managers or standalone applications that don't require such extensive browser permissions.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: clipboardWrite

This extension has the clipboardWrite permission. Can modify clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: identity

This extension has the identity permission. Can access your identity information. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: privacy

This extension has the privacy permission. Can modify privacy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: notifications

This extension has the notifications permission. Can show notifications.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

identity
storage
contextMenus
unlimitedStorage
privacy
notifications
tabs
clipboardWrite
webRequest
webRequestAuthProvider
offscreen

Host Permissions:

http://*/*
https://*/*

Embedded URLs (1067 total):

http://www.w3.org/2000/svg	https://www.psono.pw
https://addons.mozilla.org/firefox/addon/psono-pw-password-manager/	https://chrome.google.com/webstore/detail/psonopw/eljmjmgjkbmpmfljlmklcfineebidmlo
https://microsoftedge.microsoft.com/addons/detail/psono-free-password-man/abobmepfpbkapdlmfhnnkebcnhgeccbm	https://play.google.com/store/apps/details?id=com.psono.psono
https://apps.apple.com/us/app/psono-password-manager/id1545581224	https://www.cloudflare.com/gdpr/introduction/
https://cloud.google.com/terms/	https://cloud.google.com/terms/data-processing-terms
https://aws.amazon.com/service-terms/	https://www.digitalocean.com/legal/terms-of-service-agreement/
https://www.digitalocean.com/legal/privacy-policy/	http://fontawesome.io
http://fontawesome.io/license	http://yuilibrary.com/license/
https://psono.com/security/	https://psono.com/features-for-users
https://exemplo.com/qualquercoisa	https://psono.com/caracteristicas-para-usuarios
https://example.com/qualcosa	https://psono.com/it/features-for-users
https://example.com/something	https://beispiel.com/irgendwas
https://psono.com/de/features-for-users	https://psono.com/
https://psono.com/zh-tw/features-for-users	https://psono.com/pt/features-for-users
https://psono.com/ja/features-for-users	https://exempel.se/test
http://priklad.cz/neco	https://psono.com/funksjoner-for-brukere
https://psono.com/security	https://example.com/algunacosa
https://psono.com/funktioner-for-brugere	https://psono.com/ru/features-for-users
https://psono.com/nl/features-for-users	https://psono.com/ko/features-for-users
https://psono.com/es/features-for-users	https://psono.com/pl/features-for-users
https://exemple.fr/quelquechose	https://psono.com/fr/features-for-users
https://github.com/emn178/js-sha1	https://github.com/emn178/js-sha512
https://github.com/mholt/PapaParse	http://jedwatson.github.io/classnames
https://localforage.github.io/localForage	https://www.chartjs.org
https://openpgpjs.org/	https://github.com/Caligatio/jsSHA
https://github.com/hectorm/otpauth	https://github.com/babel/babel/blob/main/packages/babel-helpers/LICENSE
https://lodash.com/	https://openjsf.org/
https://lodash.com/license	http://underscorejs.org/LICENSE
https://github.com/cssinjs/jss	https://github.com/emn178/js-sha256
http://sheetjs.com	https://bugs.chromium.org/p/v8/issues/detail?id=7863
http://schemas.openxmlformats.org/package/2006/metadata/core-properties	http://schemas.openxmlformats.org/officeDocument/2006/custom-properties
http://schemas.openxmlformats.org/officeDocument/2006/extended-properties	http://schemas.openxmlformats.org/package/2006/content-types
http://schemas.openxmlformats.org/package/2006/relationships	http://schemas.microsoft.com/office/spreadsheetml/2018/threadedcomments
http://purl.org/dc/elements/1.1/	http://purl.org/dc/terms/
http://purl.org/dc/dcmitype/	http://schemas.microsoft.com/office/mac/excel/2008/main
http://schemas.openxmlformats.org/officeDocument/2006/relationships	http://schemas.openxmlformats.org/package/2006/sheetjs/core-properties
http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes	http://www.w3.org/2001/XMLSchema-instance
http://www.w3.org/2001/XMLSchema	http://schemas.openxmlformats.org/spreadsheetml/2006/main
http://purl.oclc.org/ooxml/spreadsheetml/main	http://schemas.microsoft.com/office/excel/2006/main
http://schemas.microsoft.com/office/excel/2006/2	http://www.w3.org/TR/REC-html40

Page 1 of 14

Raw Manifest

{
  "name": "Psono - Free Password Manager",
  "icons": {
    "16": "data/img/icon-16.png",
    "32": "data/img/icon-32.png",
    "48": "data/img/icon-48.png",
    "64": "data/img/icon-64.png",
    "128": "data/img/icon-128.png"
  },
  "action": {
    "default_icon": "data/img/icon-32-disabled.png",
    "default_popup": "data/default_popup.html"
  },
  "author": "Psono",
  "omnibox": {
    "keyword": "pp"
  },
  "storage": {
    "managed_schema": "managed_storage.json"
  },
  "version": "4.4.0",
  "commands": {
    "_execute_action": {
      "suggested_key": {
        "default": "Alt+P"
      }
    }
  },
  "background": {
    "service_worker": "data/js/background-chrome.js"
  },
  "short_name": "Psono",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_appDesc__",
  "permissions": [
    "identity",
    "storage",
    "contextMenus",
    "unlimitedStorage",
    "privacy",
    "notifications",
    "tabs",
    "clipboardWrite",
    "webRequest",
    "webRequestAuthProvider",
    "offscreen"
  ],
  "homepage_url": "https://psono.com/",
  "options_page": "data/index.html#!/settings",
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "data/js/lib/uuid.js",
        "data/js/extension/worker-content-script-base.js",
        "data/js/extension/worker-content-script.js",
        "data/js/extension/worker-content-script-oidc-saml.js",
        "data/js/extension/worker-content-script-elster.js",
        "data/js/extension/worker-content-script-fido2.js",
        "data/js/extension/worker-content-script-pgp.js",
        "data/js/extension/worker-content-script-notification-bar.js",
        "data/js/content-script.js"
      ],
      "css": [
        "data/css/contentscript.css",
        "data/css/lib/cssreset-context-min.css"
      ],
      "run_at": "document_start",
      "matches": [
        "*://*/*"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "http://*/*",
    "https://*/*"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "*://*/*"
      ],
      "resources": [
        "data/fonts/*.woff2",
        "data/img/psono-encrypt.png",
        "data/img/psono-decrypt.png",
        "data/notification-bar.html",
        "data/js/web-accessible.js"
      ]
    }
  ]
}

by ✦ Astarte

Psono - Free Password Manager

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (1067 total):

Raw Manifest

Detections

Manifest Findings