[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

DragApp: Gmail shared inbox

Version 19.5.0 View in Chrome Web Store

Last scanned: about 11 hours ago

Extension Details

Developer: DRAGAPP.COM LIMITED

Rating: 4.1 ★ (676 ratings)

Users: 20,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

DragApp appears to be a legitimate business productivity tool with a reasonable user base of 20,000 users and a solid 4.1-star rating from 676 reviews. The company DRAGAPP.COM LIMITED seems to be an established entity focused on Gmail collaboration tools. The extension has been actively maintained with version 19.5.0, suggesting ongoing development and support.

Concerns:

The primary concern is the broad host permissions that extend beyond what's strictly necessary for Gmail functionality. While access to Google domains (mail.google.com, googleapis.com) is expected for a Gmail tool, the wildcard permission for all Google subdomains (*.google.com/*) creates unnecessary exposure. The extension also requires access to its own domain (app.dragapp.com), which is normal for cloud-based services but means your Gmail data may be processed on external servers.

The scripting permission combined with content script injection into Gmail could potentially access sensitive email content, though this appears necessary for the shared inbox functionality.

Recommendations:

This extension appears legitimate for its intended purpose, but the broad permissions warrant caution. Consider running it in a separate Chrome profile dedicated to work activities to isolate it from personal browsing. Review the company's privacy policy to understand how your Gmail data is handled. Monitor for any unusual behavior or unauthorized access to your Google account after installation.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://*.google.com/*, https://www.googleapis.com/*, https://mail.google.com/, https://inbox.google.com/. Ensure you trust this extension with access to these sites.

Security Analysis Details

Required Permissions:

scripting

Host Permissions:

https://app.dragapp.com/*
https://*.google.com/*
https://www.googleapis.com/*
https://mail.google.com/
https://inbox.google.com/

Content Security Policy:

extension_pages: default-src 'self'

Embedded URLs (244 total):

https://mail.google.com/	https://mail.google.com/sync
https://mail.google.com	https://mail.google.com/mail/u/0/
https://mail.google.com/mail	https://github.com/kefirjs/kefir/issues/145
https://github.com/kefirjs/kefir/issues/149	https://github.com/kefirjs/kefir/issues/150
https://www.inboxsdk.com/	https://www.inboxsdk.com/terms
https://clients2.google.com/service/update2/crx	https://app.dragapp.com/
https://www.googleapis.com/	https://inbox.google.com/
http://jedwatson.github.io/classnames	https://github.com/kurkle/color#readme
https://www.chartjs.org	https://feross.org
https://github.com/jonathantneal/closest	http://mths.be/base64
https://mths.be/utf8js	https://feross.org/opensource
http://coding.kz	http://www.opensource.org/licenses/mit-license.php
https://lodash.com/	https://openjsf.org/
https://lodash.com/license	http://underscorejs.org/LICENSE
https://ssl.gstatic.com/ui/v1/icons/common/x_8px.png	https://api.inboxsdk.com/api/v2/errors
https://api.inboxsdk.com/api/v2/events/oauth	https://pubsub.googleapis.com/v1/projects/mailfoogae/topics/events:publish?key=
https://myaccount.google.	https://github.com/InboxSDK/InboxSDK/issues/1062#issuecomment-1821327292
https://www.gstatic.com/images/icons/material/system_gm/2x/more_vert_black_20dp.png	https://www.inboxsdk.com/docs/#Router
https://people-pa.clients6.google.com/	https://register.inboxsdk.com/
https://www.inboxsdk.com/docs/#RequiredSetup	https://www.gstatic.com/images/icons/material/system/1x/close_black_24dp.png
https://www.gstatic.com/images/icons/material/system/2x/close_black_24dp.png	https://ssl.gstatic.com/mail/sprites/smartmail-561acb673be75c1d374881a95997fce4.png
http://fb.me/use-check-prop-types	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/1999/xhtml	http://www.w3.org/1998/Math/MathML
http://www.w3.org/2000/svg	https://reactjs.org/link/react-polyfills
https://product.dragapp.com/chat?tenant=drag&email=	https://www.dragapp.com/demo/
https://www.dragapp.com/terms/	https://www.dragapp.com/privacy/
https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJbecmNE.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJnecmNE.woff2
https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJfecg.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z11lFc-K.woff2
https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z1JlFc-K.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z1xlFQ.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu72xKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu5mxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7mxKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4WxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7WxKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7GxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4mxK.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCRc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fABc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCBc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fBxc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCxc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fChc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fBBc4.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCRc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfABc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCBc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfBxc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCxc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfChc4EsA.woff2

Page 1 of 4

Raw Manifest

{
  "name": "__MSG_appName__",
  "icons": {
    "16": "assets/img/16.png",
    "48": "assets/img/48.png",
    "128": "assets/img/128.png"
  },
  "action": {
    "default_icon": {
      "16": "assets/img/16.png",
      "24": "assets/img/24.png",
      "32": "assets/img/32.png"
    }
  },
  "version": "19.5.0",
  "background": {
    "service_worker": "background.js"
  },
  "short_name": "DragApp",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_appDesc__",
  "permissions": [
    "scripting"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "style-loader.js",
        "assets/js/jquery-2.1.4.min.js",
        "assets/js/jquery-ui.js",
        "assets/js/jquery.timepicker.min.js",
        "assets/js/intro.min.js",
        "assets/js/switchery.js",
        "assets/js/jquery.caret.js",
        "assets/js/jquery.mobilePhoneNumber.js",
        "app.js"
      ],
      "css": [
        "assets/css/fonts.css",
        "assets/css/external-library/introjs.min.css",
        "assets/css/external-library/font-awesome.css",
        "assets/css/external-library/jquery-ui.css",
        "assets/css/external-library/switchery.css",
        "assets/css/reset.css",
        "assets/css/common-layout.css",
        "assets/css/common-components.css",
        "assets/css/modules-css/growth-hack.css",
        "assets/css/modules-css/showYtVideo.css",
        "assets/css/modules-css/task.css",
        "assets/css/modules-css/checklist-popup.css",
        "assets/css/modules-css/app-render.css",
        "assets/css/modules-css/drag-settings.css",
        "assets/css/modules-css/sendto-column.css",
        "assets/css/modules-css/payment-popup.css",
        "assets/css/modules-css/member-team-board-popup.css",
        "assets/css/modules-css/board-settings-popup.css",
        "assets/css/modules-css/board-default-reply-as.css",
        "assets/css/modules-css/automation-popup.css",
        "assets/css/modules-css/card-view.css",
        "assets/css/modules-css/detail-view.css",
        "assets/css/modules-css/dropdown-view.css",
        "assets/css/mail-popup.css",
        "assets/css/signature.css",
        "assets/css/modules-css/email-tracking.css",
        "assets/css/modules-css/compose-box.css",
        "assets/css/modules-css/incoming-email-popup.css",
        "assets/css/modules-css/create-board.css",
        "assets/css/modules-css/settings-popup.css",
        "sten/tailwind.css"
      ],
      "run_at": "document_end",
      "matches": [
        "https://mail.google.com/*",
        "https://inbox.google.com/*"
      ],
      "all_frames": false
    }
  ],
  "host_permissions": [
    "https://app.dragapp.com/*",
    "https://*.google.com/*",
    "https://www.googleapis.com/*",
    "https://mail.google.com/",
    "https://inbox.google.com/"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "default-src 'self'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "assets/css/*",
        "assets/img/*",
        "assets/components/*",
        "sten/*",
        "sten/assets/*",
        "*.ttf",
        "*.woff",
        "*.woff2"
      ]
    }
  ]
}

by ✦ Astarte