[ new scan ] [ statistics ] [ github ] [ twitter ]

Starting analysis...

Sender Wallet

Version 2.2.9 View in Chrome Web Store

Last scanned: about 1 month ago | force re-scan

Extension Details

Developer: sender.org

Rating: 4.7 ★ (1.4K ratings)

Size: 4.01MiB

Last Updated: January 23, 2025

Users: 200,000

Context-Aware Verdict

MEDIUM

Risk Level

Trust Factors:

- The extension has a relatively high number of users (200,000) and a good rating (4.7/5), which suggests it is a popular and well-received extension.

- The developer (sender.org) appears to be a legitimate organization focused on cryptocurrency wallets and related services.

Concerns:

- The extension requests broad host permissions, allowing it to access many websites. This could potentially be used for tracking browsing activity or stealing sensitive data.

- It has access to several sensitive domains related to cryptocurrency and finance, which could pose a risk if the extension is compromised.

- The extension has the unlimitedStorage permission, allowing it to store an unlimited amount of data locally, which could be a privacy concern.

Recommendations:

- If you need to use this extension, consider running it in a separate browser profile or a dedicated browser instance to isolate it from your main browsing activity.

- Regularly check for updates and reviews of the extension to ensure it remains trustworthy and secure.

- Be cautious about entering sensitive information or accessing financial accounts while the extension is running.

- Consider using additional security measures, such as a reputable antivirus software or a dedicated cryptocurrency hardware wallet, to mitigate potential risks.

Security Analysis

MEDIUM

Overall Risk

Based on 4 total findings, ranked without considering overall context, including 1 high-risk and 3 medium-risk findings.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://indexer.ref-finance.net/*, https://testnet-api.kitwallet.app/*, https://api.kitwallet.app/*, https://fonts.googleapis.com/*, https://api.senderwallet.io/*, https://api-testnet.senderwallet.io. Ensure you trust this extension with access to these sites.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

storage
alarms
unlimitedStorage

Host Permissions:

https://helper.mainnet.near.org/*
https://rpc.mainnet.near.org/
https://helper.testnet.near.org/*
https://rpc.testnet.near.org/*
https://helper.sender.org/*
https://indexer.ref-finance.net/*
https://testnet-api.kitwallet.app/*
https://api.kitwallet.app/*
http://34.201.128.53:8000/*
https://api.sender.org/*
https://api-core.sender.org/*
https://fonts.googleapis.com/*
https://fonts.gstatic.com/*
https://app.calimero.network/*
https://api.calimero.network/*
https://near-testnet.api.pagoda.co/*
https://near-mainnet.api.pagoda.co/*
https://api.fastnear.com/*
https://api.senderwallet.io/*
https://tonapi.io/*
https://api.nearblocks.io/*
https://api3-testnet.nearblocks.io/*
https://api-testnet.senderwallet.io
https://lookup-api.scamsniffer.io

Embedded URLs (248 total):

https://lodash.com/	https://openjsf.org/
https://lodash.com/license	http://underscorejs.org/LICENSE
https://npms.io/search?q=ponyfill.	https://github.com/facebook/regenerator/blob/main/LICENSE
https://fonts.googleapis.com	https://fonts.gstatic.com
https://fonts.googleapis.com/css2?family=Inter:wght@400	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/1999/xhtml	http://www.w3.org/1998/Math/MathML
http://www.w3.org/2000/svg	https://api.mixpanel.com/import?strict=1&project_id=2767127
http://feross.org	https://feross.org
https://github.com/crypto-browserify/crypto-browserify	https://feross.org/opensource
https://github.com/emn178/js-sha256	https://github.com/emn178/js-sha3
http://github.com/janl/mustache.js	https://helper.testnet.near.org
http://fb.me/use-check-prop-types	https://reactjs.org/link/react-polyfills
https://tonapi.io	https://toncenter.com/api/v2/jsonRPC
https://mths.be/punycode	https://github.com/uuidjs/uuid#getrandomvalues-not-supported
https://a.com	https://links.ethers.org/v5-errors-
https://www.ethercluster.com/mordor	https://www.ethercluster.com/etc
https://www.ethercluster.com/kotti	https://gateway.ipfs.io/ipfs/
https://nd-510-448-339.p2pify.com/fa1d0cd30c1f06d400a3582b1068ee89	https://nd-695-270-709.p2pify.com/eb80252059775b944c9a6680eeb24f6c
https://bsc-dataseed.binance.org	https://data-seed-prebsc-1-s3.binance.org:8545
https://polygon-mainnet.infura.io/v3/e1a274162bbe47cf80989a6e7113c2d4	https://polygon-mumbai.infura.io/v3/e1a274162bbe47cf80989a6e7113c2d4
https://nd-135-705-023.p2pify.com/60d0cb2a76bf303f1908b87f37812823/ext/bc/C/rpc	https://avalanche-fuji.infura.io/v3/e1a274162bbe47cf80989a6e7113c2d4
https://aurora-mainnet.core.chainstack.com/ffcfc2b2170b5f628c45bad767cf3321	https://aurora-testnet.infura.io/v3/e1a274162bbe47cf80989a6e7113c2d4
https://nd-767-465-302.p2pify.com/da875da76a89d2cf4ff4cc5f546542b5	https://arbitrum-goerli.infura.io/v3/e1a274162bbe47cf80989a6e7113c2d4
https://optimism-mainnet.infura.io/v3/e1a274162bbe47cf80989a6e7113c2d4	https://nd-139-342-713.p2pify.com/33fe26db49ed26055522d33364fedf0c
https://scroll-alphanet.blastapi.io/8fb062ec-e9e7-4389-99d9-7259802993eb	https://testnet.era.zksync.dev
https://mainnet.era.zksync.io	https://base-rpc.publicnode.com
https://rpc.mainnet.near.org	https://wallet.mainnet.near.org
https://api.fastnear.com	https://nearblocks.io
https://api.kitwallet.app	https://rpc.testnet.near.org
https://wallet.testnet.near.org	https://testnet-api.kitwallet.app
https://testnet.nearblocks.io	https://api.senderwallet.io
https://api-testnet.senderwallet.io	https://tonscan.org
https://testnet.toncenter.com/api/v2/jsonRPC	https://testnet.tonscan.org
https://testnet.tonapi.io	https://tonapi.io/v2
https://tonapi.io/v2/accounts/	https://tonapi.io/v2/blockchain/accounts/
https://github.com/MikeMcl/decimal.js	https://www.xarg.org/2014/03/rational-numbers-in-javascript/
https://wallet.near.org	https://indexer.ref.finance
https://testnet-indexer.ref-finance.com	https://dev-indexer.ref-finance.com
https://api.nearblocks.io/v1/account/	https://api3-testnet.nearblocks.io/v1/account/

Page 1 of 4

Raw Manifest

{
  "name": "Sender Wallet",
  "icons": {
    "128": "icon-128.png"
  },
  "action": {
    "default_icon": "icon-38.png"
  },
  "version": "2.2.9",
  "background": {
    "service_worker": "background.bundle.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Sender is a browser extension crypto wallet.",
  "permissions": [
    "storage",
    "alarms",
    "unlimitedStorage"
  ],
  "content_scripts": [
    {
      "js": [
        "contentScript.bundle.js",
        "script.bundle.js"
      ],
      "css": [
        "content.styles.css"
      ],
      "run_at": "document_start",
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "https://helper.mainnet.near.org/*",
    "https://rpc.mainnet.near.org/",
    "https://helper.testnet.near.org/*",
    "https://rpc.testnet.near.org/*",
    "https://helper.sender.org/*",
    "https://indexer.ref-finance.net/*",
    "https://testnet-api.kitwallet.app/*",
    "https://api.kitwallet.app/*",
    "http://34.201.128.53:8000/*",
    "https://api.sender.org/*",
    "https://api-core.sender.org/*",
    "https://fonts.googleapis.com/*",
    "https://fonts.gstatic.com/*",
    "https://app.calimero.network/*",
    "https://api.calimero.network/*",
    "https://near-testnet.api.pagoda.co/*",
    "https://near-mainnet.api.pagoda.co/*",
    "https://api.fastnear.com/*",
    "https://api.senderwallet.io/*",
    "https://tonapi.io/*",
    "https://api.nearblocks.io/*",
    "https://api3-testnet.nearblocks.io/*",
    "https://api-testnet.senderwallet.io",
    "https://lookup-api.scamsniffer.io"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*",
        "<all_urls>"
      ],
      "resources": [
        "content.styles.css",
        "icon-128.png",
        "icon-38.png",
        "script.bundle.js"
      ]
    }
  ]
}

Sender Wallet

Extension Details

Context-Aware Verdict

Security Analysis

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (248 total):

Raw Manifest

Secure Annex (beta)