CFCA CryptoKit.YZZG Extension
Version 3.4.0.1 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension lacks critical transparency indicators - no visible download count, user ratings, or developer information. The cryptographic nature suggested by "CryptoKit" combined with minimal public information raises significant trust concerns. The 0.0 rating with no reviews indicates either a very new extension or one with limited adoption, making it difficult to assess real-world safety.
The combination of nativeMessaging permission with host permissions to yzzg.tech domains creates a concerning attack vector. Native messaging allows direct communication with local applications, which could potentially be exploited for system-level access. The broad host permissions, while limited to specific domains, still grant extensive access to all content on those sites. The cryptographic focus combined with these powerful permissions could enable sophisticated data interception or manipulation attacks.
Given the high-risk profile, install this extension only in a separate Chrome profile isolated from your primary browsing activities. Verify the legitimacy of the yzzg.tech domain and ensure you trust the organization behind it before installation. Monitor system activity after installation for any unexpected native application communications. Consider whether the cryptographic functionality is essential enough to justify the security risks, and explore alternative solutions with better transparency and user feedback.
Findings
Security Analysis Details
Required Permissions:
- nativeMessaging
Host Permissions:
- http://*.yzzg.tech/*
- https://*.yzzg.tech/*
Embedded URLs (1 total):
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "CFCA CryptoKit.YZZG Extension", "icons": { "16": "icon-16.png", "48": "icon-48.png", "128": "icon-128.png" }, "action": { "default_icon": { "16": "icon-16.png", "48": "icon-48.png", "128": "icon-128.png" } }, "author": "CFCA", "version": "3.4.0.1", "background": { "service_worker": "eventPage.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Sign transaction data with a smart card", "permissions": [ "nativeMessaging" ], "host_permissions": [ "http://*.yzzg.tech/*", "https://*.yzzg.tech/*" ], "manifest_version": 3, "externally_connectable": { "matches": [ "http://*.yzzg.tech/*", "https://*.yzzg.tech/*" ] }, "minimum_chrome_version": "88" }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.