[ new scan ] [ statistics ] [ github ] [ twitter ]

TweetsMash

Version 0.6.4.0 View in Chrome Web Store

Last scanned: about 12 hours ago

Extension Details

Developer: tweetsmash.com

Rating: 5.0 ★ (4 ratings)

Users: 2,000

Context-Aware Verdict

HIGH

Risk Level

Trust Factors:

- The extension has a relatively low number of users (2,000), which could indicate a lack of widespread trust or popularity.

- The developer information is limited, making it difficult to assess their reputation or trustworthiness.

Concerns:

- The extension requests the "webRequest" permission, which allows it to intercept and modify web requests. This is a powerful permission that could potentially be abused for malicious purposes, such as compromising security or privacy.

- The extension has access to sensitive domains like Twitter and the developer's own website. While this may be necessary for the extension's functionality, it also increases the potential risk if the extension is compromised or contains malicious code.

- The Content Security Policy (CSP) allows "wasm-unsafe-eval," which permits potentially dangerous WebAssembly code execution. This could be used to hide malicious code or perform CPU-intensive operations, posing a security risk.

Recommendations:

- Exercise caution when installing this extension, as it has a high overall risk rating and requests powerful permissions.

- Consider running the extension in a separate Chrome profile or a sandboxed environment to isolate it from your main browsing activities and minimize potential risks.

- Monitor the extension's behavior and check for any suspicious activities or performance issues that could indicate malicious behavior.

- Regularly review the extension's permissions and revoke any unnecessary ones to reduce the potential attack surface.

- Keep an eye on updates and reviews from other users, as they may provide insights into any emerging security concerns or issues.

Security Analysis

HIGH

Overall Risk

Based on 4 total findings, ranked without considering overall context, including 2 high-risk and 2 medium-risk findings.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

HIGH

Unsafe WebAssembly Execution

This extension's Content Security Policy allows 'wasm-unsafe-eval', which permits potentially dangerous WebAssembly code execution. This could be used to hide malicious code or perform CPU-intensive operations.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://twitter.com/, https://api.twitter.com/. Ensure you trust this extension with access to these sites.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

webRequest
alarms
storage

Host Permissions:

https://x.com/
https://twitter.com/
https://api.twitter.com/
https://api.x.com/

Content Security Policy:

extension_pages: script-src 'self' 'wasm-unsafe-eval'; object-src 'self';

Embedded URLs (36 total):

https://api-js.mixpanel.com	https://mixpanel.com
https://cdn.mxpnl.com	https://api.mixpanel.com
https://lodash.com/	https://openjsf.org/
https://lodash.com/license	http://underscorejs.org/LICENSE
https://npms.io/search?q=ponyfill.	https://twitter.com/
https://x.com/i/api/graphql/RV1g3b8n_SGOHwkqKYSCFw/Bookmarks?variables=	https://x.com/i/bookmarks
https://x.com/i/api/graphql/AV_lPTkN6Fc6LgerQpK8Zg/TweetDetail?variables=	https://x.com/i/api/graphql/lFi3xnx0auUUnyG4YwpCNw/GetUserClaims?variables=
https://x.com/i/api/graphql/i78YDd0Tza-dV4SYs58kRg/BookmarkFoldersSlice?variables=	https://x.com/i/api/graphql/MXadnowW4uG_ol0ZKrXICg/BookmarkFolderTimeline?variables=
https://x.com/i/api/graphql/xoietOOE63W0cH9LFt4yRA/ListsManagementPageTimeline?variables=	https://x.com/i/api/graphql/WWxrex_8HmKW2dzlPnwtTg/ListMembers?variables=
https://api.x.com/1.1/account/multi/list.json	https://x.com
https://x.com/i/api/graphql/k5XapwcSikNsEsILW5FvgA/UserByScreenName?variables=%7B%22screen_name%22%3A%22	https://www.tweetsmash.com
https://tailwindcss.com	https://www.tweetsmash.com/explore
https://tweetsmash.com/login	https://tweetsmash.com/uninstall
https://x.com/i/bookmarks?tweetsmash_setup=true	https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage
http://www.w3.org/2000/svg	https://www.tweetsmash.com/login#access_token=
https://clients2.google.com/service/update2/crx	https://x.com/
https://api.twitter.com/	https://api.x.com/
https://mobile.x.com/	https://www.tweetsmash.com/

Raw Manifest

{
  "name": "TweetsMash",
  "icons": {
    "16": "icon/icon-16.png",
    "32": "icon/icon-32.png",
    "48": "icon/icon-48.png",
    "128": "icon/icon-128.png"
  },
  "version": "0.6.4.0",
  "background": {
    "type": "module",
    "service_worker": "service-worker-loader.js"
  },
  "short_name": "TweetsMash",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Elevate Twitter Bookmarks into insights for creators & pros",
  "permissions": [
    "webRequest",
    "alarms",
    "storage"
  ],
  "content_scripts": [
    {
      "js": [
        "assets/inject-loader-77cf7da4.js",
        "assets/index.jsx-loader-018201ba.js"
      ],
      "css": [
        "assets/index-8a4bf2d2.css"
      ],
      "run_at": "document_idle",
      "matches": [
        "https://x.com/*",
        "https://mobile.x.com/*"
      ],
      "all_frames": false
    },
    {
      "js": [
        "assets/inject.js-loader-1f8506f7.js"
      ],
      "run_at": "document_start",
      "matches": [
        "https://www.tweetsmash.com/*"
      ],
      "all_frames": false
    }
  ],
  "host_permissions": [
    "https://x.com/",
    "https://twitter.com/",
    "https://api.twitter.com/",
    "https://api.x.com/"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self';"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "*://*/*"
      ],
      "resources": [
        "icon.png"
      ],
      "use_dynamic_url": false
    },
    {
      "matches": [
        "https://mobile.x.com/*",
        "https://x.com/*"
      ],
      "resources": [
        "assets/browser-polyfill-244477e5.js",
        "assets/bookmarks-e18850e2.js",
        "assets/sync-8f7de7c7.js",
        "assets/inject-3ea3b006.js",
        "assets/index.jsx-b871f0c9.js"
      ],
      "use_dynamic_url": false
    },
    {
      "matches": [
        "https://www.tweetsmash.com/*"
      ],
      "resources": [
        "assets/browser-polyfill-244477e5.js",
        "assets/inject.js-928a7cc5.js"
      ],
      "use_dynamic_url": false
    }
  ]
}

TweetsMash

Extension Details

Context-Aware Verdict

Security Analysis

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (36 total):

Raw Manifest

Secure Annex (beta)