AdGuard VPN: free & secure proxy
Version 2.9.8 View in Chrome Web Store
Extension Details
Context-Aware Verdict
AdGuard is a well-established cybersecurity company with a solid reputation in the ad-blocking and privacy space. The extension has 500,000 users and a decent 4.1-star rating from 3,400+ reviews, indicating reasonable user satisfaction. The company has been operating for years and is known for legitimate privacy tools.
The extension's permission set is extremely broad and powerful, even for a VPN service. The management permission allowing control over other extensions is particularly concerning and unnecessary for VPN functionality. The combination of proxy control, web request interception, privacy settings modification, and unlimited data storage creates a perfect storm for potential abuse. The all_urls host permissions and content script injection capabilities mean this extension has complete access to every website you visit and can modify any web content.
While these permissions may be technically necessary for VPN functionality, they create significant attack surface if the extension were compromised or if the company's practices changed. The ability to intercept all web traffic, modify privacy settings, and manage other extensions goes beyond typical VPN requirements.
Given the critical risk level, run this extension in a completely separate Chrome profile dedicated only to VPN usage. Never use this profile for sensitive activities like banking or work. Consider using a standalone VPN application instead of a browser extension for better security isolation. Regularly review the extension's behavior and immediately remove it if you notice any suspicious activity.
Findings
Security Analysis Details
Required Permissions:
- browsingData
- contextMenus
- management
- notifications
- offscreen
- privacy
- proxy
- storage
- unlimitedStorage
- webRequest
- webRequestAuthProvider
Host Permissions:
- <all_urls>
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'self'
Embedded URLs (292 total):
| http://www.w3.org/2000/svg | http://www.w3.org/1999/xlink | |
| https://clients2.google.com/service/update2/crx | http://www.google.com | |
| http://url.spec.whatwg.org/#urlutils | https://nodejs.org/api/http.html#http_message_headers | |
| https://en.wikipedia.org/wiki/Base64#URL_applications | https://github.com/beatgammit/base64-js/issues/42 | |
| https://feross.org | https://bugzilla.mozilla.org/show_bug.cgi?id=695438 | |
| https://github.com/feross/buffer/pull/148 | https://github.com/feross/buffer/issues/154 | |
| http://stackoverflow.com/a/22747272/680742 | https://github.com/feross/buffer/issues/166 | |
| https://github.com/feross/buffer/issues/219 | http://stackoverflow.com/a/16459606/376773 | |
| https://github.com/facebook/react-native/pull/1632 | http://stackoverflow.com/a/398120/376773 | |
| https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages | https://github.com/tc39/proposal-shadowrealm/pull/384#issuecomment-1364264229 | |
| https://github.com/lodash/lodash/blob/4.17.15/dist/lodash.js#L6735-L6744 | https://github.com/ljharb/object.assign/issues/17 | |
| https://github.com/WebReflection/get-own-property-symbols/issues/4 | https://feross.org/opensource | |
| http://stuartk.com/jszip | https://raw.github.com/Stuk/jszip/main/LICENSE.markdown. | |
| https://github.com/nodeca/pako/blob/main/LICENSE | https://stuk.github.io/jszip/documentation/howto/read_zip.html | |
| http://ecma-international.org/ecma-262/7.0/#sec-patterns | https://bugs.webkit.org/show_bug.cgi?id=156034 | |
| https://github.com/jashkenas/underscore/pull/1247 | https://bugs.chromium.org/p/v8/issues/detail?id=90 | |
| http://www.ecma-international.org/ecma-262/7.0/#sec-regexp.prototype.tostring | http://ecma-international.org/ecma-262/7.0/#sec-object.prototype.tostring | |
| https://css-tricks.com/debouncing-throttling-explained-examples/ | http://ecma-international.org/ecma-262/7.0/#sec-samevaluezero | |
| http://ecma-international.org/ecma-262/7.0/#sec-tolength | http://www.ecma-international.org/ecma-262/7.0/#sec-ecmascript-language-types | |
| http://ecma-international.org/ecma-262/7.0/#sec-object.keys | https://lodash.com/ | |
| https://openjsf.org/ | https://lodash.com/license | |
| http://underscorejs.org/LICENSE | https://npms.io/search?q=ponyfill. | |
| http://ecma-international.org/ecma-262/7.0/#sec-template-literal-lexical-components | https://en.wikipedia.org/wiki/Combining_Diacritical_Marks | |
| https://en.wikipedia.org/wiki/Combining_Diacritical_Marks_for_Symbols | https://mathiasbynens.be/notes/javascript-unicode | |
| http://eev.ee/blog/2015/09/12/dark-corners-of-unicode/ | https://en.wikipedia.org/wiki/Exponentiation_by_squaring | |
| https://mdn.io/clearTimeout | http://ecma-international.org/ecma-262/7.0/#sec-ecmascript-function-objects-call-thisargument-argumentslist | |
| https://es5.github.io/#x13.2.2 | https://mdn.io/round#Examples | |
| https://bugs.chromium.org/p/v8/issues/detail?id=2070 | https://mdn.io/setTimeout | |
| https://mdn.io/Array/reverse | https://mdn.io/Array/slice | |
| https://en.wikipedia.org/wiki/Symmetric_difference | https://mdn.io/iteration_protocols#iterator | |
| https://en.wikipedia.org/wiki/Empty_set | https://en.wikipedia.org/wiki/Vacuous_truth | |
| https://en.wikipedia.org/wiki/Fisher-Yates_shuffle | http://peter.michaux.ca/articles/lazy-function-definition-pattern | |
| http://ecma-international.org/ecma-262/7.0/#sec-properties-of-the-map-prototype-object | https://mdn.io/rest_parameters | |
| http://www.ecma-international.org/ecma-262/7.0/#sec-function.prototype.apply | https://mdn.io/spread_operator | |
| https://mdn.io/Structured_clone_algorithm | https://mdn.io/Number/isFinite | |
| https://mdn.io/Number/isInteger | https://mdn.io/Number/isNaN | |
| https://mdn.io/isNaN | https://www.npmjs.com/package/babel-polyfill | |
| https://mdn.io/Number/isSafeInteger | http://www.ecma-international.org/ecma-262/7.0/#sec-tointeger | |
| https://mdn.io/Object/assign | https://en.wikipedia.org/wiki/CamelCase | |
| https://en.wikipedia.org/wiki/Latin-1_Supplement_ | https://en.wikipedia.org/wiki/Latin_Extended-A |
Raw Manifest
{ "name": "__MSG_name__", "icons": { "16": "assets/images/icons/enabled-16.png", "128": "assets/images/icons/enabled-128.png" }, "action": { "default_icon": { "19": "assets/images/icons/disabled-19.png", "38": "assets/images/icons/disabled-38.png" }, "default_popup": "popup.html", "default_title": "__MSG_name__" }, "author": "Adguard Software Ltd", "version": "2.9.8", "background": { "service_worker": "background.js" }, "short_name": "__MSG_short_name__", "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_description__", "permissions": [ "browsingData", "contextMenus", "management", "notifications", "offscreen", "privacy", "proxy", "storage", "unlimitedStorage", "webRequest", "webRequestAuthProvider" ], "options_page": "options.html", "default_locale": "en", "content_scripts": [ { "js": [ "custom-dns-links.js" ], "run_at": "document_start", "matches": [ "<all_urls>" ] } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "minimum_chrome_version": "109.0", "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'" } }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.