[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

a11y.css

Version 2.1.0 View in Chrome Web Store

Last scanned: about 2 hours ago

Extension Details

Rating: 3.3 ★ (3 ratings)

Users: 2,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a very small user base of only 2,000 users and a concerning rating of 3.3 out of 5 stars with just 3 reviews, indicating limited adoption and mixed user satisfaction. The lack of developer information and missing description raises transparency concerns. The name "a11y.css" suggests it's related to accessibility CSS, but without proper documentation, its true purpose is unclear.

Concerns:

The extension requests excessive permissions for what appears to be a CSS accessibility tool. The tabs permission allows manipulation of all browser tabs, which is unnecessary for CSS-related functionality. The broad content script injection across all websites (*://*/*) creates significant security exposure, as it can access and modify any webpage you visit. The activeTab permission, while less concerning, still grants access to sensitive page content. The storage permission could be used to collect and retain user data across sessions.

Recommendations:

Given the high-risk profile, avoid installing this extension unless absolutely necessary. If you must use it, create a separate Chrome profile dedicated to this extension to isolate potential security risks from your main browsing activities. Consider looking for well-established accessibility tools with better security practices, higher user ratings, and transparent developer information. Monitor the extension's behavior closely and remove it immediately if you notice any suspicious activity or unexpected functionality.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "a11y.css",
  "icons": {
    "16": "icons/a11y-css_16.png",
    "48": "icons/a11y-css_48.png",
    "128": "icons/a11y-css_128.png"
  },
  "action": {
    "default_icon": {
      "19": "icons/a11y-css_19.png",
      "38": "icons/a11y-css_38.png"
    },
    "default_popup": "popup/index.html",
    "default_title": "a11y.css"
  },
  "version": "2.1.0",
  "background": {
    "type": "module",
    "service_worker": "/scripts/background/main.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "a11y.css provides warnings about possible risks and mistakes that exist in HTML.",
  "permissions": [
    "activeTab",
    "tabs",
    "storage",
    "scripting"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "/scripts/injected/alt.js"
      ],
      "css": [
        "/scripts/injected/alt.css"
      ],
      "run_at": "document_end",
      "matches": [
        "*://*/*"
      ]
    }
  ],
  "manifest_version": 3,
  "minimum_chrome_version": "93",
  "web_accessible_resources": [
    {
      "matches": [
        "*://*/*"
      ],
      "resources": [
        "icons/info.svg",
        "icons/ko.svg",
        "icons/ok.svg",
        "scripts/injected/*",
        "css/*"
      ]
    }
  ]
}

by ✦ Astarte

a11y.css

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Embedded URLs (3 total):

Raw Manifest

Detections

Manifest Findings

https://github.com/ffoodd/a11y.css/	https://clients2.google.com/service/update2/crx
http://www.w3.org/2000/svg