[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

KeyGuard - Password Manager

Version 3.0.8.1 View in Chrome Web Store

Last scanned: about 23 hours ago

Extension Details

Rating: 4.9 ★ (14 ratings)

Users: 2,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension has very limited trust indicators with only 2,000 users and 14 ratings, despite claiming to be a password manager. The high 4.9 rating could be artificially inflated given the small sample size. No developer information is provided, which is concerning for a security-focused application. The lack of transparency about the company behind this password manager raises significant red flags.

Concerns:

The permission set is extremely broad and concerning for any extension, but particularly alarming for one with such low adoption. The combination of all_urls access, cookies permission, and tabs permission creates a perfect storm for data harvesting. A legitimate password manager typically wouldn't need such extensive access to all websites and browser tabs. The content scripts running on all HTTP/HTTPS sites could intercept sensitive information beyond just password fields. The storage permission, while expected for a password manager, becomes problematic when combined with the other excessive permissions.

Recommendations:

Do not install this extension. The risk profile is too high for the limited trust indicators. If you need a password manager, choose established options like Bitwarden, 1Password, or Dashlane that have proven track records and transparent security practices. If you've already installed this extension, remove it immediately and scan for any suspicious activity. Consider running a security audit of your stored passwords and change any that may have been compromised.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: <all_urls>

This extension has the <all_urls> permission. Can access all websites and their content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

storage
tabs
activeTab
cookies
<all_urls>

Host Permissions:

<all_urls>

Embedded URLs (31 total):

https://fonts.googleapis.com	https://fonts.googleapis.com/css2?family=Poppins:ital
https://fonts.gstatic.com	https://fonts.googleapis.com/css2?family=Inter:ital
https://fonts.googleapis.com/css2?family=Inter:wght@400	https://fonts.googleapis.com/css2?family=Poppins:wght@400
https://fonts.googleapis.com/css2?family=Lato:wght@400	https://devapi.key-guard.io/plugin
https://prodapi.key-guard.io/plugin	https://devapi.key-guard.io
https://chrome.google.com/webstore/detail/stashword/hepabllhdpoohoeobgeelgkkonlpcdgj	https://github.com/mozilla/webextension-polyfill/issues/130
https://api.mixpanel.com	https://api.bigdatacloud.net/data/reverse-geocode-client?latitude=
http://www.w3.org/2000/svg	https://keyguard-media.s3.amazonaws.com/chevron.svg
https://keyguard-media.s3.amazonaws.com/lock.svg	https://clients2.google.com/service/update2/crx
https://reactjs.org/docs/error-decoder.html?invariant=	http://www.w3.org/1999/xlink
http://www.w3.org/XML/1998/namespace	http://www.w3.org/1998/Math/MathML
http://www.w3.org/1999/xhtml	https://github.com/pmndrs/zustand/discussions/1937
https://mui.com/production-error/?code=	https://app.key-guard.io/faq/
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd	https://app.key-guard.io/
https://api-js.mixpanel.com	https://mixpanel.com
https://cdn.mxpnl.com

Raw Manifest

{
  "name": "KeyGuard - Password Manager",
  "icons": {
    "16": "icons/icon16.png",
    "32": "icons/icon32.png",
    "48": "icons/icon48.png",
    "128": "icons/icon128.png"
  },
  "action": {
    "default_icon": {
      "16": "icons/icon16.png",
      "32": "icons/icon32.png",
      "48": "icons/icon48.png",
      "128": "icons/icon128.png"
    },
    "default_popup": "index.html",
    "default_title": "KeyGuard"
  },
  "author": "FireArc",
  "version": "3.0.8.1",
  "background": {
    "type": "module",
    "service_worker": "serviceWorker.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Experience seamless password management with KeyGuard – save, autofill, and secure your credentials effortlessly.",
  "permissions": [
    "storage",
    "tabs",
    "activeTab",
    "cookies",
    "<all_urls>"
  ],
  "content_scripts": [
    {
      "js": [
        "contentScr.js"
      ],
      "css": [
        "bundle.css"
      ],
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "externally_connectable": {
    "matches": [
      "*://*.app.key-guard.io/*",
      "*://localhost:*/*"
    ]
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "index.html",
        "assets/icon.png"
      ]
    }
  ]
}

by ✦ Astarte

KeyGuard - Password Manager

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (31 total):

Raw Manifest

Detections

Manifest Findings