[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

gloCOM Call

Version 8.0.0.0 View in Chrome Web Store

Last scanned: about 2 hours ago

Extension Details

Rating: 4.2 ★ (5 ratings)

Users: 4,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

The extension has a limited user base of 4,000 users with a decent rating of 4.2 stars, though based on only 5 reviews which is insufficient for reliable assessment. The lack of developer information and company details raises transparency concerns. The extension appears to be related to telecommunications or calling functionality based on the name "gloCOM Call."

Concerns:

The primary concern is the broad content script injection capability that allows the extension to run scripts on all websites. This is particularly problematic for a calling application, as it grants unnecessary access to potentially sensitive websites like banking, email, or social media platforms. The combination of universal website access with storage permissions creates potential for data collection across all browsing activities. The contextMenus permission, while less concerning, adds another layer of interaction capability across websites.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to business communications to limit exposure of personal browsing data. Before installation, verify the extension's legitimacy through the developer's official website or contact your IT department if this is a business tool. Monitor the extension's behavior and disable it if you notice unexpected website modifications or performance issues. Given the broad permissions, only install if the calling functionality is essential and cannot be replaced with a more privacy-focused alternative that requests minimal permissions.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "gloCOM Call",
  "icons": {
    "16": "app16.png",
    "32": "app32.png",
    "48": "app48.png",
    "128": "app128.png"
  },
  "author": "Bicom Systems ltd",
  "version": "8.0.0.0",
  "background": {
    "service_worker": "call_action.js"
  },
  "options_ui": {
    "page": "options.html",
    "open_in_tab": false
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Use gloCOM to call numbers in Chrome.",
  "permissions": [
    "contextMenus",
    "storage"
  ],
  "content_scripts": [
    {
      "js": [
        "google_phone_lib.js"
      ],
      "run_at": "document_start",
      "matches": [
        "<all_urls>"
      ],
      "all_frames": true
    },
    {
      "js": [
        "highlight_numbers.js"
      ],
      "run_at": "document_end",
      "matches": [
        "<all_urls>"
      ],
      "all_frames": false
    }
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "glocom_icon.jpg",
        "detectAjax.js"
      ]
    }
  ]
}

by ✦ Astarte

https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.provide.	http://www.ecma-international.org/ecma-262/5.1/#sec-C
http://www.apache.org/licenses/LICENSE-2.0	https://clients2.google.com/service/update2/crx

gloCOM Call

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Embedded URLs (4 total):

Raw Manifest

Detections

Manifest Findings