[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

WAPlus CRM - Best AI-Powered Messaging CRM

Version 1.7.93 View in Chrome Web Store

Last scanned: about 3 hours ago

Extension Details

Developer: https://waplus.io/

Rating: 4.9 ★ (3.6K ratings)

Users: 70,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors: The extension has a strong user base of 70,000 users and an excellent 4.9-star rating from 3.6K reviews, suggesting legitimate functionality and user satisfaction. The developer maintains a professional website at waplus.io, which adds credibility. However, these positive indicators are overshadowed by significant security concerns.

Concerns:

- The extension requests extremely broad permissions that far exceed what's necessary for a WhatsApp CRM tool

- Identity permission allows access to personal identity information, which is unnecessary for messaging management

- Cookies permission enables reading and modifying browser cookies across all sites

- Tabs permission grants ability to monitor and manipulate all browser tabs

- Broad host permissions with wildcard access could enable data harvesting beyond WhatsApp

- The combination of identity, cookies, and tabs permissions creates a powerful surveillance capability

- Content scripts injection on waplus.io domains suggests data transmission to external servers

Recommendations:

Given the critical risk level, avoid installing this extension on your primary browser profile. If the CRM functionality is essential for your business, create a dedicated Chrome profile specifically for this extension and limit its use to WhatsApp-related activities only. Consider alternative CRM solutions with more restrictive permissions. Regularly audit what data the extension might be accessing and ensure your WhatsApp contains no sensitive business information when using this tool.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: identity

This extension has the identity permission. Can access your identity information. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

tabs
activeTab
storage
cookies
scripting
contextMenus
alarms
identity

Optional Permissions:

management

Host Permissions:

*://web.whatsapp.com/*
*://*.waplus.io/*

Embedded URLs (688 total):

https://web.whatsapp.com/	http://web.whatsapp.com/
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage	https://bit.ly/2ZqJzkp
https://scrm-global.zingfront.com/waplus-crm/files/csv/WAPlus_Import_WA_Numbers_Example.csv	https://faq.whatsapp.com/361005896189245/?helpref=hc_fnav
https://example.com/faq	http://feross.org
https://waplus.io/api/crm/v2	https://translate.googleapis.com/translate_a/single
http://www.w3.org/1999/xlink	http://www.w3.org/2000/svg
http://www.w3.org/1998/Math/MathML	https://accounts.zoho.com/oauth/v2/token
https://web.whatsapp.com?type=sf	https://login.salesforce.com
https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=	https://feross.org/opensource
https://api.hubapi.com	https://cdn2.waplus.io/extensiton/waplus/config/config.json
https://web.whatsapp.com	https://waplus.io/en
https://www.googleapis.com/auth/calendar.events	https://accounts.google.com/o/oauth2/v2/auth?client_id=
https://www.googleapis.com/auth/contacts	https://waplus.io/pay/default/subscription-cancel
https://transmart.qq.com	https://transmart.qq.com/api/imt
https://wadeck.ai/pay/default/subscription-cancel	https://waplus.io/feedback-form/crm-uninstall-feedback?utm_source=&install_time=
https://waplus.io	https://crm.watechdev.asia
https://web.whatsapp.com/?code	https://web.whatsapp.com/?type=sf
https://web.whatsapp.com/?type=zoho	https://web.whatsapp.com?type=zoho
https://www.zohoapis.com	https://accounts.zoho.com/oauth/v2/auth?scope=
https://feross.org	https://kjur.github.io/jsrsasign/license/
https://static-global.zingfront.com/common/flags/4x3/ad.svg	https://static-global.zingfront.com/common/flags/1x1/ad.svg
https://static-global.zingfront.com/common/flags/4x3/ae.svg	https://static-global.zingfront.com/common/flags/1x1/ae.svg
https://static-global.zingfront.com/common/flags/4x3/af.svg	https://static-global.zingfront.com/common/flags/1x1/af.svg
https://static-global.zingfront.com/common/flags/4x3/ag.svg	https://static-global.zingfront.com/common/flags/1x1/ag.svg
https://static-global.zingfront.com/common/flags/4x3/ai.svg	https://static-global.zingfront.com/common/flags/1x1/ai.svg
https://static-global.zingfront.com/common/flags/4x3/al.svg	https://static-global.zingfront.com/common/flags/1x1/al.svg
https://static-global.zingfront.com/common/flags/4x3/am.svg	https://static-global.zingfront.com/common/flags/1x1/am.svg
https://static-global.zingfront.com/common/flags/4x3/ao.svg	https://static-global.zingfront.com/common/flags/1x1/ao.svg
https://static-global.zingfront.com/common/flags/4x3/aq.svg	https://static-global.zingfront.com/common/flags/1x1/aq.svg
https://static-global.zingfront.com/common/flags/4x3/ar.svg	https://static-global.zingfront.com/common/flags/1x1/ar.svg
https://static-global.zingfront.com/common/flags/4x3/as.svg	https://static-global.zingfront.com/common/flags/1x1/as.svg
https://static-global.zingfront.com/common/flags/4x3/at.svg	https://static-global.zingfront.com/common/flags/1x1/at.svg
https://static-global.zingfront.com/common/flags/4x3/au.svg	https://static-global.zingfront.com/common/flags/1x1/au.svg
https://static-global.zingfront.com/common/flags/4x3/aw.svg	https://static-global.zingfront.com/common/flags/1x1/aw.svg
https://static-global.zingfront.com/common/flags/4x3/ax.svg	https://static-global.zingfront.com/common/flags/1x1/ax.svg
https://static-global.zingfront.com/common/flags/4x3/az.svg	https://static-global.zingfront.com/common/flags/1x1/az.svg
https://static-global.zingfront.com/common/flags/4x3/ba.svg	https://static-global.zingfront.com/common/flags/1x1/ba.svg
https://static-global.zingfront.com/common/flags/4x3/bb.svg	https://static-global.zingfront.com/common/flags/1x1/bb.svg
https://static-global.zingfront.com/common/flags/4x3/bd.svg	https://static-global.zingfront.com/common/flags/1x1/bd.svg
https://static-global.zingfront.com/common/flags/4x3/be.svg	https://static-global.zingfront.com/common/flags/1x1/be.svg

Page 1 of 9

Raw Manifest

{
  "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlWycw3xI2JDdljo8ZkPG8fGxMpIZxZOFcIiC43XoOiPeZRJi1MwRAbRnvy4YuBRQnbYqXXeVj4Ad+EeBtoeLiwDocA48HRTDghqQz0Dy8ViFElXuKFMgsgPdh/lf2d4vygpDA4vdxzyA50D2PQtOyYvGyPsBixOdvOaCPMI5BmBmAOB8Zi5BCceAfb2vgik4rMDDa+Vmz8FgqyDvJ5EolBNJxFy1BqiyrgBBEA6jmlISNa3KHDOFOyTn4AtBeMOSfI6FURYL9YiaUAJbY3mxtGGTX1/+IpGn3EAIGcUzwgGu7FisKKQy0LV2hQIpzjOCrOe3NAES4eIFtfAXykFmbwIDAQAB",
  "name": "__MSG_extName__",
  "icons": {
    "16": "icons/logo_16.png",
    "48": "icons/logo_48.png",
    "128": "icons/logo_128.png"
  },
  "action": {
    "default_icon": {
      "128": "icons/logo_128.png"
    }
  },
  "oauth2": {
    "scopes": [
      "https://www.googleapis.com/auth/calendar.events"
    ],
    "client_id": "515287609542-bduhga17cas9tjm79s1cc2untnbmh58f.apps.googleusercontent.com"
  },
  "version": "1.7.93",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_extDesc__",
  "permissions": [
    "tabs",
    "activeTab",
    "storage",
    "cookies",
    "scripting",
    "contextMenus",
    "alarms",
    "identity"
  ],
  "homepage_url": "https://chrome.google.com/webstore/detail/waplus-crm-crm-tool-for-w/jmjcgjmipjiklbnfbdclkdikplgajhgc",
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "content-script.js"
      ],
      "css": [
        "css/wa-attach.css",
        "css/flags.css"
      ],
      "run_at": "document_end",
      "matches": [
        "https://web.whatsapp.com/*"
      ]
    },
    {
      "js": [
        "js/document_start.js"
      ],
      "run_at": "document_start",
      "matches": [
        "https://web.whatsapp.com/*"
      ]
    },
    {
      "js": [
        "waplus-content.js"
      ],
      "css": [],
      "run_at": "document_end",
      "matches": [
        "https://*.waplus.io/*"
      ]
    }
  ],
  "host_permissions": [
    "*://web.whatsapp.com/*",
    "*://*.waplus.io/*"
  ],
  "manifest_version": 3,
  "optional_permissions": [
    "management"
  ],
  "externally_connectable": {
    "matches": [
      "*://*.waplus.io/*"
    ]
  },
  "web_accessible_resources": [
    {
      "matches": [
        "https://web.whatsapp.com/*"
      ],
      "resources": [
        "inject-script.js",
        "icons/*",
        "images/*",
        "websocket/*",
        "template/*"
      ]
    }
  ],
  "optional_host_permissions": [
    "*://api.hubapi.com/*",
    "*://*/*"
  ]
}

by ✦ Astarte

WAPlus CRM - Best AI-Powered Messaging CRM

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Optional Permissions:

Host Permissions:

Embedded URLs (688 total):

Raw Manifest

Detections

Manifest Findings