[ new scan ] [ statistics ] [ github ] [ twitter ]

DragApp: Gmail shared inbox

Version 17.6.3 View in Chrome Web Store

Last scanned: 13 days ago | force re-scan

Extension Details

Developer: www.dragapp.com

Rating: 4.1 ★ (698 ratings)

Size: 9.35MiB

Last Updated: March 19, 2025

Users: 20,000

Developer Info: DRAGAPP.COM LIMITEDBuilding 18, Gateway 1000 Arlington Business Park STEVENAGE SG1 2FP GB

Context-Aware Verdict

MEDIUM

Risk Level

Trust Factors:

- The extension is developed by a registered company, DRAGAPP.COM LIMITED, which adds some credibility.

- It has a decent number of users (20,000) and a relatively high rating (4.1/5), suggesting it is a popular and well-received extension.

Concerns:

- The extension requests broad host permissions, allowing it to access many websites, which could potentially be abused for data theft or tracking browsing activity.

- It requires access to sensitive domains like Google's mail services and APIs, which could expose user emails and data if the extension is compromised.

Recommendations:

- While the extension appears to be legitimate and popular, the broad permissions and access to sensitive data are concerning. Users should exercise caution and only install the extension if they fully trust the developer.

- Consider running the extension in a separate Chrome profile or browser instance to isolate it from other sensitive data and browsing activities.

- Regularly review the extension's permissions and revoke any unnecessary access to minimize potential risks.

- Monitor for any suspicious behavior or data leaks, and promptly uninstall the extension if any concerns arise.

Security Analysis

MEDIUM

Overall Risk

Based on 2 total findings, ranked without considering overall context, including 1 high-risk and 1 medium-risk findings.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://*.google.com/*, https://www.googleapis.com/*, https://mail.google.com/, https://inbox.google.com/. Ensure you trust this extension with access to these sites.

Security Analysis Details

Required Permissions:

scripting

Host Permissions:

https://app.dragapp.com/*
https://*.google.com/*
https://www.googleapis.com/*
https://mail.google.com/
https://inbox.google.com/

Content Security Policy:

extension_pages: default-src 'self'

Embedded URLs (233 total):

https://mail.google.com/	https://mail.google.com/sync
https://mail.google.com	https://mail.google.com/mail/u/0/
https://mail.google.com/mail	https://github.com/kefirjs/kefir/issues/145
https://github.com/kefirjs/kefir/issues/149	https://github.com/kefirjs/kefir/issues/150
https://www.inboxsdk.com/	https://www.inboxsdk.com/terms
https://clients2.google.com/service/update2/crx	https://app.dragapp.com/
https://www.googleapis.com/	https://inbox.google.com/
http://jedwatson.github.io/classnames	https://github.com/kurkle/color#readme
https://www.chartjs.org	https://feross.org
https://github.com/jonathantneal/closest	http://mths.be/base64
https://mths.be/utf8js	https://feross.org/opensource
http://coding.kz	http://www.opensource.org/licenses/mit-license.php
https://ssl.gstatic.com/ui/v1/icons/common/x_8px.png	https://api.inboxsdk.com/api/v2/errors
https://api.inboxsdk.com/api/v2/events/oauth	https://pubsub.googleapis.com/v1/projects/mailfoogae/topics/events:publish?key=
https://myaccount.google.	https://github.com/InboxSDK/InboxSDK/issues/1062#issuecomment-1821327292
https://www.gstatic.com/images/icons/material/system_gm/2x/more_vert_black_20dp.png	https://www.inboxsdk.com/docs/#Router
https://people-pa.clients6.google.com/	https://www.inboxsdk.com/register
https://www.inboxsdk.com/docs/#RequiredSetup	https://www.gstatic.com/images/icons/material/system/1x/close_black_24dp.png
https://www.gstatic.com/images/icons/material/system/2x/close_black_24dp.png	https://ssl.gstatic.com/mail/sprites/smartmail-561acb673be75c1d374881a95997fce4.png
http://fb.me/use-check-prop-types	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/1999/xhtml	http://www.w3.org/1998/Math/MathML
http://www.w3.org/2000/svg	https://reactjs.org/link/react-polyfills
https://go.crisp.chat/chat/embed/?website_id=b381468c-2a80-4b78-b8d1-ca9c32d4b83c	https://www.dragapp.com/demo/
https://www.dragapp.com/terms/	https://www.dragapp.com/privacy/
https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJbecmNE.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJnecmNE.woff2
https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJfecg.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z11lFc-K.woff2
https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z1JlFc-K.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z1xlFQ.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu72xKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu5mxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7mxKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4WxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7WxKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7GxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4mxK.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCRc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fABc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCBc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fBxc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCxc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fChc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fBBc4.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCRc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfABc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCBc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfBxc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCxc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfChc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfBBc4.woff2	https://www.gstatic.com/images/icons/material/system/2x/close_white_20dp.png
https://www.w3.org/2000/svg	https://ipinfo.io/json?token=dbeebde39a6813

Page 1 of 3

Raw Manifest

{
  "name": "__MSG_appName__",
  "icons": {
    "16": "assets/img/16.png",
    "48": "assets/img/48.png",
    "128": "assets/img/128.png"
  },
  "action": {
    "default_icon": {
      "16": "assets/img/16.png",
      "24": "assets/img/24.png",
      "32": "assets/img/32.png"
    }
  },
  "version": "17.6.3",
  "background": {
    "service_worker": "background.js"
  },
  "short_name": "DragApp",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_appDesc__",
  "permissions": [
    "scripting"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "style-loader.js",
        "assets/js/jquery-2.1.4.min.js",
        "assets/js/jquery-ui.js",
        "assets/js/jquery.timepicker.min.js",
        "assets/js/intro.min.js",
        "assets/js/switchery.js",
        "app.js"
      ],
      "css": [
        "assets/css/fonts.css",
        "assets/css/external-library/introjs.min.css",
        "assets/css/external-library/font-awesome.css",
        "assets/css/external-library/jquery-ui.css",
        "assets/css/external-library/switchery.css",
        "assets/css/reset.css",
        "assets/css/common-layout.css",
        "assets/css/common-components.css",
        "assets/css/modules-css/growth-hack.css",
        "assets/css/modules-css/showYtVideo.css",
        "assets/css/modules-css/task.css",
        "assets/css/modules-css/checklist-popup.css",
        "assets/css/modules-css/app-render.css",
        "assets/css/modules-css/drag-settings.css",
        "assets/css/modules-css/sendto-column.css",
        "assets/css/modules-css/payment-popup.css",
        "assets/css/modules-css/member-team-board-popup.css",
        "assets/css/modules-css/board-settings-popup.css",
        "assets/css/modules-css/board-default-reply-as.css",
        "assets/css/modules-css/automation-popup.css",
        "assets/css/modules-css/card-view.css",
        "assets/css/modules-css/detail-view.css",
        "assets/css/modules-css/dropdown-view.css",
        "assets/css/mail-popup.css",
        "assets/css/signature.css",
        "assets/css/modules-css/email-tracking.css",
        "assets/css/modules-css/compose-box.css",
        "assets/css/modules-css/incoming-email-popup.css",
        "assets/css/modules-css/create-board.css",
        "assets/css/modules-css/settings-popup.css",
        "sten/tailwind.css"
      ],
      "run_at": "document_end",
      "matches": [
        "https://mail.google.com/*",
        "https://inbox.google.com/*"
      ],
      "all_frames": false
    }
  ],
  "host_permissions": [
    "https://app.dragapp.com/*",
    "https://*.google.com/*",
    "https://www.googleapis.com/*",
    "https://mail.google.com/",
    "https://inbox.google.com/"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "default-src 'self'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "assets/css/*",
        "assets/img/*",
        "assets/components/*",
        "sten/*",
        "sten/assets/*",
        "*.ttf",
        "*.woff",
        "*.woff2"
      ]
    }
  ]
}

DragApp: Gmail shared inbox

Extension Details

Context-Aware Verdict

Security Analysis

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (233 total):

Raw Manifest

Secure Annex (beta)