[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

WAVE Evaluation Tool

Version 3.3.0.4 View in Chrome Web Store

Last scanned: about 5 hours ago

Extension Details

Rating: 4.1 ★ (156 ratings)

Users: 700,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors: The WAVE Evaluation Tool has strong legitimacy indicators with 700,000 users and a 4.1-star rating, suggesting it's a well-established accessibility testing tool. WAVE (Web Accessibility Evaluation Tool) is a recognized name in the web accessibility community, which adds credibility to this extension.

Concerns: The extension's permissions are concerning given its stated purpose. The webNavigation permission allows comprehensive tracking of browsing behavior, which seems excessive for an accessibility evaluation tool that should only need to analyze pages when explicitly requested. The broad host permissions (file, http, and https access to all sites) create significant attack surface. While activeTab and contextMenus permissions are reasonable for a page analysis tool, the combination of all permissions together enables extensive data collection capabilities that go beyond what's necessary for accessibility testing.

Recommendations: Consider running this extension in a separate Chrome profile dedicated to web development work to limit exposure of personal browsing data. Only enable the extension when actively performing accessibility testing, then disable it afterward. Monitor what data the extension accesses through Chrome's extension activity logs. If you frequently need accessibility testing, consider using WAVE's online tool or other alternatives that don't require such broad permissions. The extension's popularity suggests it's likely legitimate, but the permission set warrants caution with sensitive browsing activities.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

Security Analysis Details

Required Permissions:

activeTab
contextMenus
scripting
webNavigation

Host Permissions:

file:///*
http://*/*
https://*/*

Embedded URLs (37 total):

Raw Manifest

{
  "name": "WAVE Evaluation Tool",
  "icons": {
    "16": "/img/wave16.png",
    "32": "/img/wave32.png",
    "48": "/img/wave48.png",
    "64": "/img/wave64.png",
    "96": "/img/wave96.png",
    "128": "/img/wave128.png"
  },
  "action": {
    "default_icon": {
      "16": "/img/wave16bk.png",
      "32": "/img/wave32bk.png",
      "64": "/img/wave64bk.png"
    },
    "default_title": "WAVE"
  },
  "version": "3.3.0.4",
  "commands": {
    "toggle-extension": {
      "description": "Send a 'toggle-extension' event to the extension",
      "suggested_key": {
        "default": "Ctrl+Shift+U"
      }
    }
  },
  "background": {
    "service_worker": "service_worker.js"
  },
  "short_name": "WAVE",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Evaluate web accessibility within your browser.",
  "permissions": [
    "activeTab",
    "contextMenus",
    "scripting",
    "webNavigation"
  ],
  "host_permissions": [
    "file:///*",
    "http://*/*",
    "https://*/*"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "img/*",
        "styles/*",
        "chrome/*",
        "inject.js",
        "sidebar.html",
        "wave.min.js",
        "sidebar.min.js"
      ]
    }
  ]
}

by ✦ Astarte

WAVE Evaluation Tool

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (37 total):

Raw Manifest

Detections

Manifest Findings

https://overlayfactsheet.com/	https://webaim.org/techniques/alttext/
https://webaim.org/standards/wcag/checklist#sc1.1.1	https://webaim.org/standards/wcag/checklist#sc2.4.4
https://webaim.org/standards/wcag/checklist#sc1.3.1	https://webaim.org/standards/wcag/checklist#sc2.4.6
https://webaim.org/standards/wcag/checklist#sc3.3.2	https://webaim.org/standards/wcag/checklist#sc4.1.2
https://webaim.org/standards/wcag/checklist#sc2.1.1	https://webaim.org/standards/wcag/checklist#sc2.4.2
https://webaim.org/standards/wcag/checklist#sc3.1.1	https://webaim.org/standards/wcag/checklist#sc2.2.1
https://webaim.org/standards/wcag/checklist#sc2.2.2	https://webaim.org/standards/wcag/checklist#sc2.4.1
https://webaim.org/standards/wcag/checklist#sc1.4.3	https://webaim.org/standards/wcag/checklist#sc1.3.2
https://webaim.org/standards/wcag/checklist#sc1.2.1	https://webaim.org/standards/wcag/checklist#sc1.2.2
https://webaim.org/standards/wcag/checklist#sc1.2.3	https://webaim.org/standards/wcag/checklist#sc1.2.5
https://webaim.org/standards/wcag/checklist#sc1.4.2	https://webaim.org/techniques/flash/techniques#hiding
https://webaim.org/standards/wcag/checklist#sc2.1.2	https://webaim.org/standards/wcag/checklist#sc3.2.2
https://webaim.org/standards/wcag/checklist#sc2.4.3	https://webaim.org/techniques/css/invisiblecontent/#skipnavlinks
https://webaim.org/standards/wcag/checklist#sc3.1.2	https://webaim.org/standards/wcag/checklist#sc2.5.3
https://webaim.org/standards/wcag/checklist#sc3.3.1	https://webaim.org/standards/wcag/checklist#sc4.1.3
https://wave.webaim.org/extension/	http://www.w3.org/2000/svg
https://clients2.google.com/service/update2/crx	https://wave.webaim.org/
https://webaim.org/	https://webaim.org/resources/evalquickref/
https://wave.webaim.org/aimscore