DragApp: Gmail shared inbox

Version 19.5.0 View in Chrome Web Store

Last scanned: 5 days ago | force re-scan

Extension Details

Developer: DRAGAPP.COM LIMITED

Rating: 4.1 ★ (676 ratings)

Users: 20,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

The extension has a solid user base of 20,000 users and maintains a decent 4.1-star rating from 676 reviews, indicating general user satisfaction. DRAGAPP.COM LIMITED appears to be a legitimate company focused on Gmail productivity tools. The extension's purpose as a Gmail shared inbox solution aligns with its requested permissions, suggesting legitimate business intent.

Concerns:

The primary concern is the broad host permissions that extend beyond what's strictly necessary for Gmail functionality. While access to Google domains is expected for a Gmail tool, the wildcard permissions for google.com could potentially allow access to other Google services beyond Gmail. The extension can inject scripts into Gmail pages and communicate with external servers, which creates potential data exposure risks. The scripting permission combined with content script injection capabilities means the extension has significant control over Gmail's interface and data.

Recommendations:

This extension appears legitimate for its intended purpose, but users should exercise caution due to the broad permissions. Consider running it in a separate Chrome profile if you handle highly sensitive emails. Review the extension's privacy policy to understand how your Gmail data is processed and stored. Monitor your Gmail account for any unusual activity after installation. Given the medium risk level and the extension's business focus, it's likely safe for most users who need shared inbox functionality, but corporate users should verify compliance with their organization's security policies before installation.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://*.google.com/*, https://www.googleapis.com/*, https://mail.google.com/, https://inbox.google.com/. Ensure you trust this extension with access to these sites.

Security Analysis Details

Required Permissions:

scripting

Host Permissions:

https://app.dragapp.com/*
https://*.google.com/*
https://www.googleapis.com/*
https://mail.google.com/
https://inbox.google.com/

Content Security Policy:

extension_pages: default-src 'self'

Embedded URLs (244 total):

https://mail.google.com/	https://mail.google.com/sync
https://mail.google.com	https://mail.google.com/mail/u/0/
https://mail.google.com/mail	https://github.com/kefirjs/kefir/issues/145
https://github.com/kefirjs/kefir/issues/149	https://github.com/kefirjs/kefir/issues/150
https://www.inboxsdk.com/	https://www.inboxsdk.com/terms
https://clients2.google.com/service/update2/crx	https://app.dragapp.com/
https://www.googleapis.com/	https://inbox.google.com/
http://jedwatson.github.io/classnames	https://github.com/kurkle/color#readme
https://www.chartjs.org	https://feross.org
https://github.com/jonathantneal/closest	http://mths.be/base64
https://mths.be/utf8js	https://feross.org/opensource
http://coding.kz	http://www.opensource.org/licenses/mit-license.php
https://lodash.com/	https://openjsf.org/
https://lodash.com/license	http://underscorejs.org/LICENSE
https://ssl.gstatic.com/ui/v1/icons/common/x_8px.png	https://api.inboxsdk.com/api/v2/errors
https://api.inboxsdk.com/api/v2/events/oauth	https://pubsub.googleapis.com/v1/projects/mailfoogae/topics/events:publish?key=
https://myaccount.google.	https://github.com/InboxSDK/InboxSDK/issues/1062#issuecomment-1821327292
https://www.gstatic.com/images/icons/material/system_gm/2x/more_vert_black_20dp.png	https://www.inboxsdk.com/docs/#Router
https://people-pa.clients6.google.com/	https://register.inboxsdk.com/
https://www.inboxsdk.com/docs/#RequiredSetup	https://www.gstatic.com/images/icons/material/system/1x/close_black_24dp.png
https://www.gstatic.com/images/icons/material/system/2x/close_black_24dp.png	https://ssl.gstatic.com/mail/sprites/smartmail-561acb673be75c1d374881a95997fce4.png
http://fb.me/use-check-prop-types	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/1999/xhtml	http://www.w3.org/1998/Math/MathML
http://www.w3.org/2000/svg	https://reactjs.org/link/react-polyfills
https://product.dragapp.com/chat?tenant=drag&email=	https://www.dragapp.com/demo/
https://www.dragapp.com/terms/	https://www.dragapp.com/privacy/
https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJbecmNE.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJnecmNE.woff2
https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJfecg.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z11lFc-K.woff2
https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z1JlFc-K.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z1xlFQ.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu72xKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu5mxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7mxKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4WxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7WxKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7GxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4mxK.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCRc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fABc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCBc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fBxc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCxc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fChc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fBBc4.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCRc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfABc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCBc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfBxc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCxc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfChc4EsA.woff2

Page 1 of 4

Raw Manifest

{
  "name": "__MSG_appName__",
  "icons": {
    "16": "assets/img/16.png",
    "48": "assets/img/48.png",
    "128": "assets/img/128.png"
  },
  "action": {
    "default_icon": {
      "16": "assets/img/16.png",
      "24": "assets/img/24.png",
      "32": "assets/img/32.png"
    }
  },
  "version": "19.5.0",
  "background": {
    "service_worker": "background.js"
  },
  "short_name": "DragApp",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_appDesc__",
  "permissions": [
    "scripting"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "style-loader.js",
        "assets/js/jquery-2.1.4.min.js",
        "assets/js/jquery-ui.js",
        "assets/js/jquery.timepicker.min.js",
        "assets/js/intro.min.js",
        "assets/js/switchery.js",
        "assets/js/jquery.caret.js",
        "assets/js/jquery.mobilePhoneNumber.js",
        "app.js"
      ],
      "css": [
        "assets/css/fonts.css",
        "assets/css/external-library/introjs.min.css",
        "assets/css/external-library/font-awesome.css",
        "assets/css/external-library/jquery-ui.css",
        "assets/css/external-library/switchery.css",
        "assets/css/reset.css",
        "assets/css/common-layout.css",
        "assets/css/common-components.css",
        "assets/css/modules-css/growth-hack.css",
        "assets/css/modules-css/showYtVideo.css",
        "assets/css/modules-css/task.css",
        "assets/css/modules-css/checklist-popup.css",
        "assets/css/modules-css/app-render.css",
        "assets/css/modules-css/drag-settings.css",
        "assets/css/modules-css/sendto-column.css",
        "assets/css/modules-css/payment-popup.css",
        "assets/css/modules-css/member-team-board-popup.css",
        "assets/css/modules-css/board-settings-popup.css",
        "assets/css/modules-css/board-default-reply-as.css",
        "assets/css/modules-css/automation-popup.css",
        "assets/css/modules-css/card-view.css",
        "assets/css/modules-css/detail-view.css",
        "assets/css/modules-css/dropdown-view.css",
        "assets/css/mail-popup.css",
        "assets/css/signature.css",
        "assets/css/modules-css/email-tracking.css",
        "assets/css/modules-css/compose-box.css",
        "assets/css/modules-css/incoming-email-popup.css",
        "assets/css/modules-css/create-board.css",
        "assets/css/modules-css/settings-popup.css",
        "sten/tailwind.css"
      ],
      "run_at": "document_end",
      "matches": [
        "https://mail.google.com/*",
        "https://inbox.google.com/*"
      ],
      "all_frames": false
    }
  ],
  "host_permissions": [
    "https://app.dragapp.com/*",
    "https://*.google.com/*",
    "https://www.googleapis.com/*",
    "https://mail.google.com/",
    "https://inbox.google.com/"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "default-src 'self'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "assets/css/*",
        "assets/img/*",
        "assets/components/*",
        "sten/*",
        "sten/assets/*",
        "*.ttf",
        "*.woff",
        "*.woff2"
      ]
    }
  ]
}

by ✦ Astarte