[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

WAPlus CRM - Best AI-Powered Messaging CRM

Version 1.7.80 View in Chrome Web Store

Last scanned: about 12 hours ago

Extension Details

Developer: https://waplus.io/

Rating: 4.9 ★ (3.4K ratings)

Users: 60,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors: The extension has a strong user base of 60,000 users and an excellent 4.9-star rating from 3,400+ reviews, suggesting legitimate functionality and user satisfaction. The developer maintains a professional website at waplus.io, which adds credibility. However, these positive indicators are overshadowed by significant security concerns.

Concerns: The extension requests extremely broad permissions that far exceed what's necessary for a WhatsApp CRM tool. The combination of tabs, cookies, and identity permissions creates a dangerous attack surface. The tabs permission allows monitoring and manipulation of all browser tabs, while cookies access could enable session hijacking across websites. The identity permission is particularly concerning as it can access personal authentication data. The broad host permissions extending beyond WhatsApp to all waplus.io domains suggest potential data collection beyond the stated purpose.

Recommendations: Given the critical risk level, avoid installing this extension on your primary browser profile. If you must use it, create a dedicated Chrome profile specifically for this extension and avoid accessing sensitive websites or accounts in that profile. Consider alternative WhatsApp CRM solutions with more restrictive permissions. Regularly audit what data the extension has access to and revoke permissions if possible. Monitor your accounts for any suspicious activity if you've already installed this extension.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: identity

This extension has the identity permission. Can access your identity information. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

tabs
activeTab
storage
cookies
scripting
contextMenus
alarms
identity

Optional Permissions:

management

Host Permissions:

*://web.whatsapp.com/*
*://*.waplus.io/*

Embedded URLs (689 total):

https://web.whatsapp.com/	http://web.whatsapp.com/
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage	https://bit.ly/2ZqJzkp
https://scrm-global.zingfront.com/waplus-crm/files/csv/WAPlus_Import_WA_Numbers_Example.csv	https://faq.whatsapp.com/361005896189245/?helpref=hc_fnav
https://example.com/faq	http://feross.org
https://extensiondock.com/chatgpt/v4/completions?	https://translate.googleapis.com/translate_a/single
http://www.w3.org/1999/xlink	http://www.w3.org/2000/svg
http://www.w3.org/1998/Math/MathML	https://accounts.zoho.com/oauth/v2/token
https://web.whatsapp.com?type=sf	https://login.salesforce.com
https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=	https://feross.org/opensource
https://api.hubapi.com	https://cdn2.waplus.io/extensiton/waplus/config/config.json
https://web.whatsapp.com	https://waplus.io/en
https://www.googleapis.com/auth/calendar.events	https://accounts.google.com/o/oauth2/v2/auth?client_id=
https://www.googleapis.com/auth/contacts	https://waplus.io/pay/default/subscription-cancel
https://transmart.qq.com	https://transmart.qq.com/api/imt
https://wadeck.ai/pay/default/subscription-cancel	https://waplus.io/feedback-form/crm-uninstall-feedback?utm_source=&install_time=
https://waplus.io	https://crm.watechdev.asia
https://web.whatsapp.com/?code	https://web.whatsapp.com/?type=sf
https://web.whatsapp.com/?type=zoho	https://web.whatsapp.com?type=zoho
https://www.zohoapis.com	https://accounts.zoho.com/oauth/v2/auth?scope=
https://feross.org	https://kjur.github.io/jsrsasign/license/
https://static-global.zingfront.com/common/flags/4x3/ad.svg	https://static-global.zingfront.com/common/flags/1x1/ad.svg
https://static-global.zingfront.com/common/flags/4x3/ae.svg	https://static-global.zingfront.com/common/flags/1x1/ae.svg
https://static-global.zingfront.com/common/flags/4x3/af.svg	https://static-global.zingfront.com/common/flags/1x1/af.svg
https://static-global.zingfront.com/common/flags/4x3/ag.svg	https://static-global.zingfront.com/common/flags/1x1/ag.svg
https://static-global.zingfront.com/common/flags/4x3/ai.svg	https://static-global.zingfront.com/common/flags/1x1/ai.svg
https://static-global.zingfront.com/common/flags/4x3/al.svg	https://static-global.zingfront.com/common/flags/1x1/al.svg
https://static-global.zingfront.com/common/flags/4x3/am.svg	https://static-global.zingfront.com/common/flags/1x1/am.svg
https://static-global.zingfront.com/common/flags/4x3/ao.svg	https://static-global.zingfront.com/common/flags/1x1/ao.svg
https://static-global.zingfront.com/common/flags/4x3/aq.svg	https://static-global.zingfront.com/common/flags/1x1/aq.svg
https://static-global.zingfront.com/common/flags/4x3/ar.svg	https://static-global.zingfront.com/common/flags/1x1/ar.svg
https://static-global.zingfront.com/common/flags/4x3/as.svg	https://static-global.zingfront.com/common/flags/1x1/as.svg
https://static-global.zingfront.com/common/flags/4x3/at.svg	https://static-global.zingfront.com/common/flags/1x1/at.svg
https://static-global.zingfront.com/common/flags/4x3/au.svg	https://static-global.zingfront.com/common/flags/1x1/au.svg
https://static-global.zingfront.com/common/flags/4x3/aw.svg	https://static-global.zingfront.com/common/flags/1x1/aw.svg
https://static-global.zingfront.com/common/flags/4x3/ax.svg	https://static-global.zingfront.com/common/flags/1x1/ax.svg
https://static-global.zingfront.com/common/flags/4x3/az.svg	https://static-global.zingfront.com/common/flags/1x1/az.svg
https://static-global.zingfront.com/common/flags/4x3/ba.svg	https://static-global.zingfront.com/common/flags/1x1/ba.svg
https://static-global.zingfront.com/common/flags/4x3/bb.svg	https://static-global.zingfront.com/common/flags/1x1/bb.svg
https://static-global.zingfront.com/common/flags/4x3/bd.svg	https://static-global.zingfront.com/common/flags/1x1/bd.svg
https://static-global.zingfront.com/common/flags/4x3/be.svg	https://static-global.zingfront.com/common/flags/1x1/be.svg

Page 1 of 9

Raw Manifest

{
  "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlWycw3xI2JDdljo8ZkPG8fGxMpIZxZOFcIiC43XoOiPeZRJi1MwRAbRnvy4YuBRQnbYqXXeVj4Ad+EeBtoeLiwDocA48HRTDghqQz0Dy8ViFElXuKFMgsgPdh/lf2d4vygpDA4vdxzyA50D2PQtOyYvGyPsBixOdvOaCPMI5BmBmAOB8Zi5BCceAfb2vgik4rMDDa+Vmz8FgqyDvJ5EolBNJxFy1BqiyrgBBEA6jmlISNa3KHDOFOyTn4AtBeMOSfI6FURYL9YiaUAJbY3mxtGGTX1/+IpGn3EAIGcUzwgGu7FisKKQy0LV2hQIpzjOCrOe3NAES4eIFtfAXykFmbwIDAQAB",
  "name": "__MSG_extName__",
  "icons": {
    "16": "icons/logo_16.png",
    "48": "icons/logo_48.png",
    "128": "icons/logo_128.png"
  },
  "action": {
    "default_icon": {
      "128": "icons/logo_128.png"
    }
  },
  "oauth2": {
    "scopes": [
      "https://www.googleapis.com/auth/calendar.events"
    ],
    "client_id": "515287609542-bduhga17cas9tjm79s1cc2untnbmh58f.apps.googleusercontent.com"
  },
  "version": "1.7.80",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_extDesc__",
  "permissions": [
    "tabs",
    "activeTab",
    "storage",
    "cookies",
    "scripting",
    "contextMenus",
    "alarms",
    "identity"
  ],
  "homepage_url": "https://chrome.google.com/webstore/detail/waplus-crm-crm-tool-for-w/jmjcgjmipjiklbnfbdclkdikplgajhgc",
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "content-script.js"
      ],
      "css": [
        "css/wa-attach.css",
        "css/flags.css"
      ],
      "run_at": "document_end",
      "matches": [
        "https://web.whatsapp.com/*"
      ]
    },
    {
      "js": [
        "js/document_start.js"
      ],
      "run_at": "document_start",
      "matches": [
        "https://web.whatsapp.com/*"
      ]
    },
    {
      "js": [
        "waplus-content.js"
      ],
      "css": [],
      "run_at": "document_end",
      "matches": [
        "https://*.waplus.io/*"
      ]
    }
  ],
  "host_permissions": [
    "*://web.whatsapp.com/*",
    "*://*.waplus.io/*"
  ],
  "manifest_version": 3,
  "optional_permissions": [
    "management"
  ],
  "externally_connectable": {
    "matches": [
      "*://*.waplus.io/*"
    ]
  },
  "web_accessible_resources": [
    {
      "matches": [
        "https://web.whatsapp.com/*"
      ],
      "resources": [
        "inject-script.js",
        "icons/*",
        "images/*",
        "websocket/*",
        "template/*"
      ]
    }
  ],
  "optional_host_permissions": [
    "*://api.hubapi.com/*",
    "*://*/*"
  ]
}

by ✦ Astarte

WAPlus CRM - Best AI-Powered Messaging CRM

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Optional Permissions:

Host Permissions:

Embedded URLs (689 total):

Raw Manifest

Detections

Manifest Findings