[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

BlockParty

Version 3.3.0 View in Chrome Web Store

Last scanned: about 13 hours ago

Extension Details

Rating: 4.0 ★

Users: 908

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a relatively small user base of 908 users and a decent 4.0 rating, but lacks critical information such as developer details, company information, and last update date. The absence of developer transparency is concerning for an extension with such powerful permissions. The name "BlockParty" suggests content filtering functionality, which could justify some permissions, but the limited user adoption raises questions about its reliability and ongoing maintenance.

Concerns:

The extension requests highly sensitive permissions that create significant security risks. The webRequest permission allows complete interception and modification of web traffic, while the tabs permission enables monitoring and manipulation of all browser tabs. The broad host permissions extending beyond just Twitter/X domains compound these risks. The storage permission, while less critical, adds to the overall attack surface. Most concerning is the combination of these permissions with limited developer transparency and unclear update status.

Recommendations:

Given the high-risk nature, consider running this extension in a separate Chrome profile to isolate potential security impacts. Before installation, verify the extension's legitimacy through official sources and recent user reviews. Monitor your browsing behavior for any unusual activity after installation. Consider alternative content filtering solutions with better developer transparency and larger user bases. If you must use this extension, regularly review its permissions and disable it when not actively needed. The powerful webRequest capabilities make this extension particularly risky for users handling sensitive information.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://twitter.com/*. Ensure you trust this extension with access to these sites.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

storage
tabs
webRequest
sidePanel

Host Permissions:

https://x.com/*
https://twitter.com/*

Content Security Policy:

extension_pages: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';

Embedded URLs (20 total):

https://clients2.google.com/service/update2/crx	https://x.com/
https://twitter.com/	https://x.com/i/api/1.1/mutes/users/create.json
https://x.com/i/api/1.1/mutes/users/destroy.json	https://x.com/i/api/1.1/blocks/create.json
https://x.com/i/api/1.1/blocks/destroy.json	https://x.com/i/api/1.1/blocks/ids.json
https://x.com/i/api/1.1/blocks/list.json	https://x.com/i/api/1.1/mutes/users/ids.json
https://x.com/i/api/1.1/mutes/users/list.json	https://x.com/i/api/graphql/
https://x.com/i/api/1.1/users/show.json?	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/2000/svg	http://www.w3.org/1998/Math/MathML
http://www.w3.org/1999/xhtml	https://x.com/jojobuilds

Raw Manifest

{
  "name": "BlockParty",
  "icons": {
    "16": "icons/icon_16px.png",
    "32": "icons/icon_32px.png",
    "48": "icons/icon_48px.png",
    "128": "icons/icon_128px.png"
  },
  "action": {
    "default_icon": {
      "16": "icons/icon_16px.png",
      "32": "icons/icon_32px.png",
      "48": "icons/icon_48px.png",
      "128": "icons/icon_128px.png"
    },
    "default_title": "BlockParty"
  },
  "version": "3.3.0",
  "background": {
    "type": "module",
    "service_worker": "service-worker-loader.js"
  },
  "short_name": "BlockParty",
  "side_panel": {
    "default_path": "sidepanel.html"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Bulk mute, unmute, block, or unblock X/Twitter accounts from CSV files.",
  "permissions": [
    "storage",
    "tabs",
    "webRequest",
    "sidePanel"
  ],
  "content_scripts": [
    {
      "js": [
        "content.js"
      ],
      "run_at": "document_start",
      "matches": [
        "https://x.com/*",
        "https://twitter.com/*"
      ]
    }
  ],
  "host_permissions": [
    "https://x.com/*",
    "https://twitter.com/*"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
  }
}

by ✦ Astarte

BlockParty

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (20 total):

Raw Manifest

Detections

Manifest Findings