DragApp: Gmail shared inbox

Version 18.9.0 View in Chrome Web Store

Last scanned: about 1 month ago | force re-scan

Extension Details

Developer: https://www.dragapp.com/

Rating: 4.1 ★ (680 ratings)

Users: 20,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

DragApp appears to be a legitimate business productivity tool with a dedicated website and clear purpose - transforming Gmail into a shared inbox for team collaboration. The extension has 20,000 users and maintains a solid 4.1-star rating from 680 reviews, indicating general user satisfaction. The company provides transparency with their website URL and the extension serves a specific, well-defined function.

Concerns:

The primary concern is the extension's broad host permissions extending beyond just Gmail domains to include all Google services (*.google.com) and the Google APIs. While access to mail.google.com and inbox.google.com is necessary for the stated functionality, the broader Google domain access could potentially allow data collection from other Google services like Drive, Calendar, or Search. The scripting permission combined with content script injection into Gmail gives the extension significant control over your email interface and data.

Recommendations:

Given the medium risk level, consider running this extension in a dedicated Chrome profile used specifically for work-related Gmail activities. This isolates the extension from your personal browsing and other Google services. Before installation, review DragApp's privacy policy to understand their data handling practices. Monitor the extension's behavior and revoke access if you notice any unexpected activity. The risk is manageable for users who specifically need shared inbox functionality and trust the DragApp service.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://*.google.com/*, https://www.googleapis.com/*, https://mail.google.com/, https://inbox.google.com/. Ensure you trust this extension with access to these sites.

Security Analysis Details

Required Permissions:

scripting

Host Permissions:

https://app.dragapp.com/*
https://*.google.com/*
https://www.googleapis.com/*
https://mail.google.com/
https://inbox.google.com/

Content Security Policy:

extension_pages: default-src 'self'

Embedded URLs (242 total):

https://mail.google.com/	https://mail.google.com/sync
https://mail.google.com	https://mail.google.com/mail/u/0/
https://mail.google.com/mail	https://github.com/kefirjs/kefir/issues/145
https://github.com/kefirjs/kefir/issues/149	https://github.com/kefirjs/kefir/issues/150
https://www.inboxsdk.com/	https://www.inboxsdk.com/terms
https://clients2.google.com/service/update2/crx	https://app.dragapp.com/
https://www.googleapis.com/	https://inbox.google.com/
http://jedwatson.github.io/classnames	https://github.com/kurkle/color#readme
https://www.chartjs.org	https://feross.org
https://github.com/jonathantneal/closest	http://mths.be/base64
https://mths.be/utf8js	https://feross.org/opensource
http://coding.kz	http://www.opensource.org/licenses/mit-license.php
https://lodash.com/	https://openjsf.org/
https://lodash.com/license	http://underscorejs.org/LICENSE
https://ssl.gstatic.com/ui/v1/icons/common/x_8px.png	https://api.inboxsdk.com/api/v2/errors
https://api.inboxsdk.com/api/v2/events/oauth	https://pubsub.googleapis.com/v1/projects/mailfoogae/topics/events:publish?key=
https://myaccount.google.	https://github.com/InboxSDK/InboxSDK/issues/1062#issuecomment-1821327292
https://www.gstatic.com/images/icons/material/system_gm/2x/more_vert_black_20dp.png	https://www.inboxsdk.com/docs/#Router
https://people-pa.clients6.google.com/	https://register.inboxsdk.com/
https://www.inboxsdk.com/docs/#RequiredSetup	https://www.gstatic.com/images/icons/material/system/1x/close_black_24dp.png
https://www.gstatic.com/images/icons/material/system/2x/close_black_24dp.png	https://ssl.gstatic.com/mail/sprites/smartmail-561acb673be75c1d374881a95997fce4.png
http://fb.me/use-check-prop-types	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/1999/xhtml	http://www.w3.org/1998/Math/MathML
http://www.w3.org/2000/svg	https://reactjs.org/link/react-polyfills
https://go.crisp.chat/chat/embed/?website_id=b381468c-2a80-4b78-b8d1-ca9c32d4b83c	https://www.dragapp.com/demo/
https://www.dragapp.com/terms/	https://www.dragapp.com/privacy/
https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJbecmNE.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJnecmNE.woff2
https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJfecg.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z11lFc-K.woff2
https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z1JlFc-K.woff2	https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLCz7Z1xlFQ.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu72xKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu5mxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7mxKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4WxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7WxKOzY.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu7GxKOzY.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4mxK.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCRc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fABc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCBc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fBxc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fCxc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fChc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmEU9fBBc4.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCRc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfABc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCBc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfBxc4EsA.woff2
https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfCxc4EsA.woff2	https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfChc4EsA.woff2

Page 1 of 4

Raw Manifest

{
  "name": "__MSG_appName__",
  "icons": {
    "16": "assets/img/16.png",
    "48": "assets/img/48.png",
    "128": "assets/img/128.png"
  },
  "action": {
    "default_icon": {
      "16": "assets/img/16.png",
      "24": "assets/img/24.png",
      "32": "assets/img/32.png"
    }
  },
  "version": "18.9.0",
  "background": {
    "service_worker": "background.js"
  },
  "short_name": "DragApp",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_appDesc__",
  "permissions": [
    "scripting"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "style-loader.js",
        "assets/js/jquery-2.1.4.min.js",
        "assets/js/jquery-ui.js",
        "assets/js/jquery.timepicker.min.js",
        "assets/js/intro.min.js",
        "assets/js/switchery.js",
        "assets/js/jquery.caret.js",
        "assets/js/jquery.mobilePhoneNumber.js",
        "app.js"
      ],
      "css": [
        "assets/css/fonts.css",
        "assets/css/external-library/introjs.min.css",
        "assets/css/external-library/font-awesome.css",
        "assets/css/external-library/jquery-ui.css",
        "assets/css/external-library/switchery.css",
        "assets/css/reset.css",
        "assets/css/common-layout.css",
        "assets/css/common-components.css",
        "assets/css/modules-css/growth-hack.css",
        "assets/css/modules-css/showYtVideo.css",
        "assets/css/modules-css/task.css",
        "assets/css/modules-css/checklist-popup.css",
        "assets/css/modules-css/app-render.css",
        "assets/css/modules-css/drag-settings.css",
        "assets/css/modules-css/sendto-column.css",
        "assets/css/modules-css/payment-popup.css",
        "assets/css/modules-css/member-team-board-popup.css",
        "assets/css/modules-css/board-settings-popup.css",
        "assets/css/modules-css/board-default-reply-as.css",
        "assets/css/modules-css/automation-popup.css",
        "assets/css/modules-css/card-view.css",
        "assets/css/modules-css/detail-view.css",
        "assets/css/modules-css/dropdown-view.css",
        "assets/css/mail-popup.css",
        "assets/css/signature.css",
        "assets/css/modules-css/email-tracking.css",
        "assets/css/modules-css/compose-box.css",
        "assets/css/modules-css/incoming-email-popup.css",
        "assets/css/modules-css/create-board.css",
        "assets/css/modules-css/settings-popup.css",
        "sten/tailwind.css"
      ],
      "run_at": "document_end",
      "matches": [
        "https://mail.google.com/*",
        "https://inbox.google.com/*"
      ],
      "all_frames": false
    }
  ],
  "host_permissions": [
    "https://app.dragapp.com/*",
    "https://*.google.com/*",
    "https://www.googleapis.com/*",
    "https://mail.google.com/",
    "https://inbox.google.com/"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "default-src 'self'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "assets/css/*",
        "assets/img/*",
        "assets/components/*",
        "sten/*",
        "sten/assets/*",
        "*.ttf",
        "*.woff",
        "*.woff2"
      ]
    }
  ]
}

by ✦ Astarte