[ new scan ] [ statistics ] [ github ] [ twitter ]

AppSheet Toolbox

Version 4.0090 View in Chrome Web Store

Last scanned: 13 days ago | force re-scan

Extension Details

Developer: appsheettraining.com

Rating: 4.0 ★ (52 ratings)

Size: 722KiB

Last Updated: December 14, 2023

Users: 20,000

Developer Info: Qrew LLC1701 Southwest Parkway 108 College Station, TX 77840 US

Context-Aware Verdict

MEDIUM

Risk Level

Trust Factors:

- The extension is developed by a legitimate company, Qrew LLC, which provides AppSheet services.

- It has a decent number of users (20,000) and a relatively good rating (4.0/5.0 from 52 reviews), indicating some level of trust from the user community.

- The description suggests it is a toolbox extension for AppSheet, which aligns with the permissions and host access requested.

Concerns:

- The "tabs" permission allows the extension to access and manipulate browser tabs, which could potentially be misused for privacy violations or security compromises.

- The broad host permissions allow the extension to access many websites, raising concerns about potential data theft or tracking of browsing activity.

- The extension requests access to sensitive domains, which could be a privacy risk if the extension is not trustworthy.

Recommendations:

- Review the extension's privacy policy and terms of service to understand how user data is handled and what the extension does with the requested permissions.

- Consider running the extension in a separate browser profile or a sandboxed environment to isolate it from your main browsing activity.

- Monitor the extension's behavior and uninstall it if you notice any suspicious activity or privacy violations.

- Keep the extension updated to the latest version to ensure any security vulnerabilities are patched.

- If you have concerns about the extension's legitimacy or behavior, consider contacting the developer or reporting the extension to the Chrome Web Store.

Security Analysis

HIGH

Overall Risk

Based on 4 total findings, ranked without considering overall context, including 2 high-risk and 2 medium-risk findings.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://support.google.com/appsheet/*. Ensure you trust this extension with access to these sites.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

storage
scripting
declarativeNetRequest
declarativeNetRequestWithHostAccess
tabs

Host Permissions:

https://www.appsheet.com/*
https://support.google.com/appsheet/*
https://appsheettraining.com/*

Embedded URLs (146 total):

https://www.appsheet.com/template/Apps	https://appsheettraining.com/
https://acp-api.bubbleapps.io/version-test/	https://appsheettraining.com/version-test/
https://help.appsheet.com/	https://www.appsheet.com/
https://appsheettraining.com/profile	https://www.appsheet.com/api/loadApp/
https://appsheettraining.com/version-test/api/1.1/wf/ResetPasword	https://jquery.com/
https://sizzlejs.com/	https://jquery.org/license
https://github.com/whatwg/html/issues/2369	https://html.spec.whatwg.org/#nonce-attributes
https://js.foundation/	https://jsperf.com/thor-indexof-vs-for/5
http://www.w3.org/TR/css3-selectors/#whitespace	http://www.w3.org/TR/CSS21/syndata.html#value-def-identifier
http://www.w3.org/TR/selectors/#attribute-selectors	http://www.w3.org/TR/CSS21/syndata.html#escaped-characters
https://drafts.csswg.org/cssom/#common-serializing-idioms	https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled
https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled	https://html.spec.whatwg.org/multipage/forms.html#category-listed
https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled	https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled
https://bugs.jquery.com/ticket/4833	https://bugs.jquery.com/ticket/13378
https://bugs.jquery.com/ticket/12359	https://msdn.microsoft.com/en-us/library/ie/hh465388.aspx#attribute_section
http://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked	https://bugs.webkit.org/show_bug.cgi?id=136851
https://github.com/jquery/sizzle/pull/225	http://www.w3.org/TR/selectors/#pseudo-classes
http://www.w3.org/TR/selectors/#lang-pseudo	http://www.w3.org/TR/selectors/#empty-pseudo
https://msdn.microsoft.com/en-us/library/ms536429%28VS.85%29.aspx	https://promisesaplus.com/#point-59
https://promisesaplus.com/#point-48	https://promisesaplus.com/#point-54
https://promisesaplus.com/#point-75	https://promisesaplus.com/#point-64
https://promisesaplus.com/#point-61	https://promisesaplus.com/#point-57
https://bugs.chromium.org/p/chromium/issues/detail?id=378607	https://bugs.jquery.com/ticket/13393
https://www.w3.org/TR/DOM-Level-3-Events/#event-type-click	https://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html
https://bugs.chromium.org/p/chromium/issues/detail?id=470258	https://github.com/eslint/eslint/issues/3229
https://connect.microsoft.com/IE/feedback/details/1736512/	https://jsperf.com/getall-vs-sizzle/2
https://drafts.csswg.org/cssom/#resolved-values	https://developer.mozilla.org/en-US/docs/CSS/display
https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/	https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/	https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
https://html.spec.whatwg.org/#strip-and-collapse-whitespace	https://bugzilla.mozilla.org/show_bug.cgi?id=687787
http://www.w3.org/TR/DOM-Level-3-Events/#events-focusevent-event-order	https://bugs.chromium.org/p/chromium/issues/detail?id=449857
http://example.com:80x/	https://bugs.webkit.org/show_bug.cgi?id=137337
https://bugs.webkit.org/show_bug.cgi?id=29084	https://bugs.chromium.org/p/chromium/issues/detail?id=589347
https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon	https://github.com/jquery/jquery/pull/557
https://clients2.google.com/service/update2/crx	https://support.google.com/appsheet/
https://www.appsheet.com/template/	http://fontawesome.io
http://fontawesome.io/license	https://storage.googleapis.com/qrew_public_1/QREW_resources/AST-IconPBShaded.png
https://appsheettraining.com/?src=qrewtools	https://appsheettraining.com
https://appsheettraining.com/terms_of_service	https://appsheettraining.com/privacy_policy
https://help.appsheet.com/en/	https://appsheettraining.com/article/1601387195966x852177671984775200?src=qrew_tools

Page 1 of 2

Raw Manifest

{
  "name": "AppSheet Toolbox",
  "icons": {
    "16": "AST16.png",
    "48": "AST48.png",
    "128": "AST128.png"
  },
  "action": {
    "default_icon": {
      "16": "AST16.png",
      "48": "AST48.png",
      "128": "AST128.png"
    },
    "default_popup": "popup.html"
  },
  "version": "4.0090",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Build Better AppSheet Apps",
  "permissions": [
    "storage",
    "scripting",
    "declarativeNetRequest",
    "declarativeNetRequestWithHostAccess",
    "tabs"
  ],
  "content_scripts": [
    {
      "js": [
        "jquery-3.4.1.js",
        "content.js",
        "codemirror/lib/codemirror.js",
        "codemirror/mode/spreadsheet/spreadsheet.js",
        "codemirror/mode/spreadsheet/spreadsheet.js",
        "codemirror/addon/edit/matchbrackets.js",
        "codemirror/addon/edit/closebrackets.js",
        "codemirror/addon/hint/show-hint.js"
      ],
      "css": [
        "mirrorMain.css",
        "codemirror/lib/codemirror.css",
        "codemirror/addon/hint/show-hint.css",
        "font-awesome.min.css"
      ],
      "matches": [
        "https://www.appsheet.com/template/*"
      ]
    },
    {
      "js": [
        "help-frame.js"
      ],
      "matches": [
        "https://support.google.com/appsheet/*"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "https://www.appsheet.com/*",
    "https://support.google.com/appsheet/*",
    "https://appsheettraining.com/*"
  ],
  "manifest_version": 3,
  "declarative_net_request": {
    "rule_resources": [
      {
        "id": "ruleset",
        "path": "rules.json",
        "enabled": true
      }
    ]
  },
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "qrew-logo-hires.png",
        "codemirror/theme/*"
      ]
    }
  ]
}

AppSheet Toolbox

Extension Details

Context-Aware Verdict

Security Analysis

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (146 total):

Raw Manifest

Secure Annex (beta)