[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Fleeting Notes

Version 0.11.2 View in Chrome Web Store

Last scanned: about 13 hours ago

Extension Details

Developer: fleetingnotes.app

Rating: 4.6 ★ (29 ratings)

Users: 20,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a solid user base of 20,000 users with a strong 4.6-star rating from 29 reviews, indicating positive user experiences. The developer domain "fleetingnotes.app" suggests a legitimate note-taking service, and the extension name aligns with its apparent purpose of quick note capture.

Concerns:

The primary security concern is the combination of broad content script injection across all URLs with tabs permission, creating significant privacy and security exposure. For a note-taking extension, the tabs permission appears excessive - legitimate note-taking typically doesn't require access to browser tab information or tab manipulation capabilities. The content script injection on all websites means the extension can read and modify any webpage content, including sensitive information like passwords, personal data, or financial details. While activeTab and contextMenus permissions are reasonable for note-taking functionality, the broad scope of access raises questions about data collection practices.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to non-sensitive browsing activities. Avoid using it while accessing banking, email, or other sensitive websites. Review the extension's privacy policy to understand what data is collected and how it's used. Monitor for any unusual behavior or unexpected network requests. If the note-taking functionality works adequately without these broad permissions, consider seeking alternative extensions with more limited scope.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

Security Analysis Details

Required Permissions:

activeTab
tabs
contextMenus
sidePanel

Content Security Policy:

extension_pages: script-src 'self' ; object-src 'self'

Embedded URLs (74 total):

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/base	http://www.apache.org/licenses/
http://www.apache.org/licenses/LICENSE-2.0	https://www.apache.org/licenses/
https://www.apache.org/licenses/LICENSE-2.0	http://opensource.org/licenses/BSD-3-Clause
http://www.openssl.org/	http://www.OpenSSL.org/
https://www.openssl.org/source/license.html	https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS
https://www.w3.org/Style/CSS/Test/Fonts/Ahem/COPYING	http://labs.creativecommons.org/licenses/zero-waive/1.0/us/legalcode
https://www.freetype.org	https://www.khronos.org/registry/
https://www.unicode.org/Public/	https://www.unicode.org/reports/
https://www.unicode.org/ivd/data/	https://www.unicode.org/Public/PROGRAMS/
https://www.unicode.org/Public/cldr/	http://site.icu-project.org/download/
https://www.unicode.org/copyright.html	https://www.unicode.org/copyright.html.
http://opensource.org/licenses/bsd-license.php	https://sourceforge.net/project/?group_id=1519
http://chasen.aist-nara.ac.jp/chasen/distribution.html	http://casper.beckman.uiuc.edu/~c-tsai4
http://www.unicode.org/copyright.html	https://github.com/rober42539/lao-dictionary
https://github.com/rober42539/lao-dictionary/laodict.txt	https://github.com/rober42539/lao-dictionary/LICENSE.txt
http://www.cs.berkeley.edu/~amc/idn/	http://www.nicemice.net/amc/
http://nlohmann.me	http://llvm.org
http://www.ijg.org/files/Wallace.JPEG.pdf.	http://www.ecma-international.org/publications/techreports/E-TR-098.htm.
http://www.ijg.org/files/jfif.ps.gz.	http://www.ijg.org/files/jfif.txt.gz
ftp://ftp.sgi.com/graphics/tiff/TIFF6.ps.gz.	http://www.ijg.org/files/.
http://www.faqs.org/faqs/jpeg-faq/	ftp://rtfm.mit.edu/pub/usenet/news.answers/jpeg-faq/.
http://oss.sgi.com/projects/FreeB/	https://www.bouncycastle.org
https://fsf.org/	https://www.gnu.org/licenses/
https://www.gnu.org/licenses/why-not-lgpl.html	http://mozilla.org/MPL/2.0/.
https://dart.googlesource.com/root_certificates/+/692f6d6488af68e0121317a9c2c9eb393eb0ee50	https://github.com/dart-lang/csslib
https://github.com/dart-lang/html	https://www.opensource.org/licenses/bsd-license.php
http://www.opensource.org/licenses/bsd-license.php	https://stackoverflow.com/a/67039463/6509751.
https://developers.google.com/web/fundamentals/primers/service-workers	http://www.w3.org/2000/svg
https://yixcweyqwkqyvebpmdvr.supabase.co	https://docs.flutter.dev/development/platform-integration/web/initialization
https://www.github.com/incrediblezayed/file_saver/issues	https://www.fleetingnotes.app/posts/sync-fleeting-notes-with-obsidian
https://www.fleetingnotes.app/posts/how-to-setup-local-file-sync	https://fleetingnotes.app/privacy-policy
https://fleetingnotes.app/terms-and-conditions	https://my.fleetingnotes.app/
https://fleetingnotes.app/posts/sync-fleeting-notes-with-obsidian/	https://fleetingnotes.app/faq/
https://us-central1-fleetingnotes-22f77.cloudfunctions.net/rank_sentence_similarity	https://api.flutter.dev/flutter/material/Scaffold/of.html
https://fleetingnotes.app/pricing?ref=app	https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
https://github.com/flutter/engine/blob/main/lib/web_ui/lib/src/engine/js_interop/js_loader.dart#L42	https://stackoverflow.com/questions/3452546/how-do-i-get-the-youtube-video-id-from-a-url
https://www.youtube.com/watch?v=	https://clients2.google.com/service/update2/crx

Raw Manifest

{
  "name": "Fleeting Notes",
  "icons": {
    "16": "/icons/16.png",
    "48": "/icons/48.png",
    "128": "/icons/128.png"
  },
  "action": {
    "default_icon": "/icons/196.png",
    "default_title": "Fleeting Notes Extension"
  },
  "version": "0.11.2",
  "commands": {
    "_execute_action": {
      "suggested_key": {
        "mac": "Command+Shift+E",
        "default": "Ctrl+Shift+E"
      }
    },
    "create-new-note": {
      "global": true,
      "description": "Create new note",
      "suggested_key": {
        "mac": "Command+Shift+Y",
        "default": "Ctrl+Shift+Y"
      }
    },
    "open-persistent-window": {
      "global": true,
      "description": "Open persistent window",
      "suggested_key": {
        "mac": "Command+Shift+Y",
        "default": "Ctrl+Shift+Y"
      }
    }
  },
  "background": {
    "service_worker": "extension/background3.js"
  },
  "side_panel": {
    "default_path": "web-ext.html"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Quick notes from the browser to Obsidian",
  "permissions": [
    "activeTab",
    "tabs",
    "contextMenus",
    "sidePanel"
  ],
  "content_scripts": [
    {
      "js": [
        "extension/content.js"
      ],
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "script-src 'self' ; object-src 'self'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "web-ext.html",
        "popup.html"
      ]
    }
  ]
}

by ✦ Astarte

Fleeting Notes

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (74 total):

Raw Manifest

Detections

Manifest Findings