InboxXray — Scam and Phishing Email Checker
Version 1.3.0 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has extremely limited adoption with only 2 users despite claiming to provide email security services. While it has a perfect 5.0 rating, this is meaningless with such a tiny user base. The developer domain (inboxxray.app) appears to be purpose-built for this extension, providing no established reputation or track record. The lack of transparency around company information and the recent nature of the extension raises significant trust concerns.
The identity permission is particularly concerning for an email checker, as it grants access to your Google/Microsoft account identity information beyond what's necessary for scanning emails. The broad host permissions spanning multiple major email providers (Gmail, Outlook variants) combined with access to Microsoft Graph API and authentication endpoints creates an extensive attack surface. The extension can inject content scripts into your email interfaces and communicate with external APIs, potentially exposing sensitive email content and authentication tokens. The storage permission allows persistent data collection on your device.
Given the high risk profile and minimal user adoption, avoid installing this extension entirely. If email security scanning is needed, choose established alternatives with proven track records and larger user bases. The combination of identity access, broad email provider permissions, and unknown developer reputation makes this extension unsuitable for handling sensitive email communications. Consider using built-in email security features or well-established security solutions instead.
Findings
Security Analysis Details
Required Permissions:
- storage
- identity
Host Permissions:
- https://mail.google.com/*
- https://outlook.office.com/*
- https://outlook.live.com/*
- https://outlook.office365.com/*
- https://graph.microsoft.com/*
- https://login.microsoftonline.com/*
- https://inboxxray.app/*
- https://api.stack-auth.com/*
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'none'
Embedded URLs (28 total):
| https://inboxxray.app | https://graph.microsoft.com/v1.0/me? | |
| https://api.stack-auth.com/api/v1/auth/password/sign-in | https://accounts.google.com/o/oauth2/v2/auth? | |
| https://mail.google.com | https://mail.google.com/mail/u/ | |
| https://outlook.office.com | https://outlook.live.com | |
| https://outlook.office365.com | https://inboxxray.app/analyze | |
| https://inboxxray.app/#pricing | https://inboxxray.app/support?from=extension&issue=error | |
| https://inboxxray.app/support?from=extension&issue=session | https://clients2.google.com/service/update2/crx | |
| https://mail.google.com/ | https://outlook.office.com/ | |
| https://outlook.live.com/ | https://outlook.office365.com/ | |
| https://graph.microsoft.com/ | https://login.microsoftonline.com/ | |
| https://inboxxray.app/ | https://api.stack-auth.com/ | |
| https://inboxxray.app/privacy | https://inboxxray.app/terms | |
| http://www.w3.org/2000/svg | https://login.microsoftonline.com/common/oauth2/v2.0 | |
| https://graph.microsoft.com/v1.0 | https://graph.microsoft.com/Mail.Read |
Raw Manifest
{ "name": "InboxXray — Scam and Phishing Email Checker", "icons": { "16": "icons/icon16.png", "48": "icons/icon48.png", "128": "icons/icon128.png" }, "action": { "default_icon": { "16": "icons/icon16.png", "24": "icons/icon48.png", "32": "icons/icon128.png", "48": "icons/icon48.png" }, "default_popup": "popup/dashboard.html", "default_title": "InboxXray" }, "version": "1.3.0", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Detect phishing, spoofing, and email threats. Scans links via Google Web Risk and urlscan.io. Optional AI analysis.", "permissions": [ "storage", "identity" ], "content_scripts": [ { "js": [ "utils/compat.js", "utils/sanitizer.js", "utils/validator.js", "utils/header_parser.js", "utils/error_tracker.js", "utils/selector_monitor.js", "content_scripts/ui_injector.js", "content_scripts/observer.js", "content_scripts/gmail.js" ], "css": [ "styles/widget.css" ], "run_at": "document_idle", "matches": [ "https://mail.google.com/*" ] }, { "js": [ "utils/compat.js", "utils/sanitizer.js", "utils/validator.js", "utils/header_parser.js", "utils/error_tracker.js", "utils/selector_monitor.js", "content_scripts/ui_injector.js", "content_scripts/observer.js", "content_scripts/outlook.js" ], "css": [ "styles/widget.css" ], "run_at": "document_idle", "matches": [ "https://outlook.office.com/*", "https://outlook.live.com/*", "https://outlook.office365.com/*" ] } ], "host_permissions": [ "https://mail.google.com/*", "https://outlook.office.com/*", "https://outlook.live.com/*", "https://outlook.office365.com/*", "https://graph.microsoft.com/*", "https://login.microsoftonline.com/*", "https://inboxxray.app/*", "https://api.stack-auth.com/*" ], "manifest_version": 3, "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'none'" } }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.