[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Writer - Extension & Clipper

Version 2.3 View in Chrome Web Store

Last scanned: about 9 hours ago

Extension Details

Developer: https://zoho.com/

Rating: 4.2 ★ (45 ratings)

Users: 90,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension is developed by Zoho, a well-established and reputable company known for business productivity software. With 90,000 users and a 4.2-star rating, it shows reasonable adoption and user satisfaction. The extension appears to be a legitimate tool for Zoho Writer, their document editing platform, which explains many of the permissions requested.

Concerns:

The extension has several concerning permissions that create privacy and security risks. The clipboardRead permission allows access to potentially sensitive copied content. The cookies and tabs permissions enable tracking of browsing behavior and session data. The downloads permission could be misused to save files without explicit user consent. Most concerning is the content script injection on all websites (https://*/*), which means the extension can monitor and potentially modify content on every website you visit. While these permissions may be necessary for the clipper functionality, they create a broad attack surface.

Recommendations:

Consider running this extension in a separate Chrome profile if you need its functionality but want to limit exposure. Regularly review what data you're clipping and be cautious about copying sensitive information to your clipboard while the extension is active. Monitor your downloads folder for unexpected files. If you only use Zoho Writer occasionally, consider disabling the extension when not needed and enabling it only during active use sessions.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: clipboardRead

This extension has the clipboardRead permission. Can read clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: downloads

This extension has the downloads permission. Can download files and access download history. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: notifications

This extension has the notifications permission. Can show notifications.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

storage
cookies
tabs
contextMenus
notifications
downloads
downloads.open
clipboardRead
scripting
activeTab

Host Permissions:

https://accounts.zoho.com/*
https://accounts.zoho.eu/*
https://accounts.zoho.in/*
https://accounts.zoho.com.au/*
https://accounts.zoho.com.cn/*
https://accounts.zoho.jp/*
https://accounts.zohocloud.ca/*
https://accounts.zoho.sa/*
https://accounts.zoho.ae/*
https://writer.zoho.com/*
https://writer.zoho.eu/*
https://writer.zoho.in/*
https://writer.zoho.com.au/*
https://writer.zoho.com.cn/*
https://writer.zoho.jp/*
https://writer.zohocloud.ca/*
https://writer.zoho.sa/*
https://writer.zoho.ae/*
https://writer.mylocalzoho.com/*
https://writer.myzoholabsexternal.com/*
https://writer.myzoholabspublic.com/*
https://writer.localzoho.com/*
https://writer.myzoho.in/*
https://writer.myzohoexternal.in/*
https://writer.myzohopublic.in/*

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self'; connect-src https://*.zoho.com https://*.zoho.eu https://*.zoho.in https://*.zoho.com.au https://*.zoho.com.cn https://*.zoho.jp https://*.zohocloud.ca https://*.zoho.sa https://*.zoho.ae https://*.mylocalzoho.com https://*.myzoholabsexternal.com https://*.myzoholabspublic.com https://*.localzoho.com https://*.myzoho.in https://*.myzohoexternal.in https://*.myzohopublic.in; img-src 'self' data: https://*.zoho.com https://*.zoho.eu https://*.zoho.in https://*.zoho.com.au https://*.zoho.com.cn https://*.zoho.jp https://*.zohocloud.ca https://*.zoho.sa https://*.zoho.ae https://*.mylocalzoho.com https://*.myzoholabsexternal.com https://*.myzoholabspublic.com https://*.localzoho.com https://*.myzoho.in https://*.myzohoexternal.in https://*.myzohopublic.in; style-src 'self' 'unsafe-inline';

Embedded URLs (41 total):

https://www.zoho.com/writer/logout.html	https://docs.zoho/writer/open/
http://www.w3.org/1999/xlink	https://www.zoho.com/writer/
https://www.zoho.com/writer/images/zoho-writer-logo.png	http://www.w3.org/2000/svg
https://www.zoho	https://profile.zoho
https://accounts.zoho	https://writer.zoho
https://docs.zoho	https://accounts.zohocloud
https://writer.zohocloud	https://static.zohocdn.com/webfonts/lato2regular/font.woff2
https://static.zohocdn.com/webfonts/lato2bold/font.woff2	https://clients2.google.com/service/update2/crx
https://accounts.zoho.com/	https://accounts.zoho.eu/
https://accounts.zoho.in/	https://accounts.zoho.com.au/
https://accounts.zoho.com.cn/	https://accounts.zoho.jp/
https://accounts.zohocloud.ca/	https://accounts.zoho.sa/
https://accounts.zoho.ae/	https://writer.zoho.com/
https://writer.zoho.eu/	https://writer.zoho.in/
https://writer.zoho.com.au/	https://writer.zoho.com.cn/
https://writer.zoho.jp/	https://writer.zohocloud.ca/
https://writer.zoho.sa/	https://writer.zoho.ae/
https://writer.mylocalzoho.com/	https://writer.myzoholabsexternal.com/
https://writer.myzoholabspublic.com/	https://writer.localzoho.com/
https://writer.myzoho.in/	https://writer.myzohoexternal.in/
https://writer.myzohopublic.in/

Raw Manifest

{
  "name": "Writer - Extension & Clipper",
  "icons": {
    "128": "images/writer-logo.png"
  },
  "action": {
    "default_icon": "images/writer-logo.png",
    "default_popup": "html/zwplugin.html",
    "default_title": "Writer"
  },
  "version": "2.3",
  "incognito": "split",
  "background": {
    "service_worker": "js/background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Create, access and edit Writer documents from any tab, and clip references to a document.",
  "permissions": [
    "storage",
    "cookies",
    "tabs",
    "contextMenus",
    "notifications",
    "downloads",
    "downloads.open",
    "clipboardRead",
    "scripting",
    "activeTab"
  ],
  "content_scripts": [
    {
      "js": [
        "js/zwpaste.js"
      ],
      "run_at": "document_idle",
      "matches": [
        "https://*/*"
      ]
    }
  ],
  "host_permissions": [
    "https://accounts.zoho.com/*",
    "https://accounts.zoho.eu/*",
    "https://accounts.zoho.in/*",
    "https://accounts.zoho.com.au/*",
    "https://accounts.zoho.com.cn/*",
    "https://accounts.zoho.jp/*",
    "https://accounts.zohocloud.ca/*",
    "https://accounts.zoho.sa/*",
    "https://accounts.zoho.ae/*",
    "https://writer.zoho.com/*",
    "https://writer.zoho.eu/*",
    "https://writer.zoho.in/*",
    "https://writer.zoho.com.au/*",
    "https://writer.zoho.com.cn/*",
    "https://writer.zoho.jp/*",
    "https://writer.zohocloud.ca/*",
    "https://writer.zoho.sa/*",
    "https://writer.zoho.ae/*",
    "https://writer.mylocalzoho.com/*",
    "https://writer.myzoholabsexternal.com/*",
    "https://writer.myzoholabspublic.com/*",
    "https://writer.localzoho.com/*",
    "https://writer.myzoho.in/*",
    "https://writer.myzohoexternal.in/*",
    "https://writer.myzohopublic.in/*"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'; connect-src https://*.zoho.com https://*.zoho.eu https://*.zoho.in https://*.zoho.com.au https://*.zoho.com.cn https://*.zoho.jp https://*.zohocloud.ca https://*.zoho.sa https://*.zoho.ae https://*.mylocalzoho.com https://*.myzoholabsexternal.com https://*.myzoholabspublic.com https://*.localzoho.com https://*.myzoho.in https://*.myzohoexternal.in https://*.myzohopublic.in; img-src 'self' data: https://*.zoho.com https://*.zoho.eu https://*.zoho.in https://*.zoho.com.au https://*.zoho.com.cn https://*.zoho.jp https://*.zohocloud.ca https://*.zoho.sa https://*.zoho.ae https://*.mylocalzoho.com https://*.myzoholabsexternal.com https://*.myzoholabspublic.com https://*.localzoho.com https://*.myzoho.in https://*.myzohoexternal.in https://*.myzohopublic.in; style-src 'self' 'unsafe-inline';"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "https://writer.zoho.com/*",
        "https://writer.zoho.eu/*",
        "https://writer.zoho.in/*",
        "https://writer.zoho.com.au/*",
        "https://writer.zoho.com.cn/*",
        "https://writer.zoho.jp/*",
        "https://writer.zohocloud.ca/*",
        "https://writer.zoho.sa/*",
        "https://writer.zoho.ae/*",
        "https://writer.mylocalzoho.com/*",
        "https://writer.myzoholabsexternal.com/*",
        "https://writer.myzoholabspublic.com/*",
        "https://writer.localzoho.com/*",
        "https://writer.myzoho.in/*",
        "https://writer.myzohoexternal.in/*",
        "https://writer.myzohopublic.in/*"
      ],
      "resources": [
        "js/executescript.js"
      ]
    }
  ]
}

by ✦ Astarte

Writer - Extension & Clipper

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (41 total):

Raw Manifest

Detections

Manifest Findings