[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Search AliExpress Products By Image

Version 1.0.6 View in Chrome Web Store

Last scanned: about 16 hours ago

Extension Details

Rating: 4.1 ★ (7 ratings)

Users: 457

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a very small user base of only 457 users, which limits community validation. The rating of 4.1 from just 7 reviews provides minimal reliability data. The lack of visible developer information raises transparency concerns. The extension's purpose - searching AliExpress products by image - appears legitimate but the implementation raises security flags.

Concerns:

The extension requests broad access to major e-commerce sites (Amazon, eBay, Etsy, AliExpress) through content scripts, which is excessive for its stated image search function. The tabs permission allows monitoring and manipulation of all browser tabs, creating privacy risks. The unsafe-eval CSP policy enables dynamic JavaScript execution, a significant security vulnerability that could allow malicious code injection. Communication with an external API (dropshipautoorder.info) introduces data transmission risks. The older Manifest V2 framework provides weaker security protections than current standards.

Recommendations:

Consider running this extension in a separate Chrome profile to isolate potential risks from your main browsing. Monitor network activity to understand what data is being transmitted to external servers. Look for alternative image search extensions with better security practices and larger user bases. If you must use this extension, avoid using it while logged into sensitive accounts on the supported e-commerce platforms. Regularly review and remove if not actively needed.

Findings

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

Unsafe JavaScript Evaluation

This extension's Content Security Policy allows 'unsafe-eval', which permits dynamic JavaScript code execution using eval() and similar functions. This is a significant security risk as it could allow execution of malicious code.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Older Manifest Version

This extension uses Manifest Version 2, which has fewer security restrictions than Manifest V3. Consider using extensions that have upgraded to V3.

Security Analysis Details

Required Permissions:

storage
contextMenus
https://api.dropshipautoorder.info/
tabs

Content Security Policy:

script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com https://connect.facebook.net https://facebook.com https://www.google-analytics.com https://www.googletagmanager.com; object-src 'self'

Embedded URLs (64 total):

https://clients2.google.com/service/update2/crx	https://api.dropshipautoorder.info/
https://ssl.google-analytics.com	https://connect.facebook.net
https://facebook.com	https://www.google-analytics.com
https://www.googletagmanager.com	https://api.dropshipautoorder.info
https://dropshipautoorder.info/	https://www.google-analytics.com/analytics.js
https://www.facebook.com/tr?id=2148444398815325&ev=PageView&noscript=1	https://alitems.site/g/
https://www.aliexpress.com/item/-/	https://www.aliexpress.com/store/product/
https://www.aliexpress.com/item/	https://fr.aliexpress.com/store/product/
https://fr.aliexpress.com/item/	https://es.aliexpress.com/store/product/
https://es.aliexpress.com/item/	https://pt.aliexpress.com/store/product/
https://pt.aliexpress.com/item/	https://de.aliexpress.com/store/product/
https://de.aliexpress.com/item/	https://ar.aliexpress.com/store/product/
https://ar.aliexpress.com/item/	https://ru.aliexpress.com/store/product/
https://ru.aliexpress.com/item/	https://vi.aliexpress.com/item/
http://getbootstrap.com	https://github.com/twbs/bootstrap/blob/master/LICENSE
https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css	https://github.com/twbs/bootstrap/issues/10106
http://getbootstrap.com/getting-started/#third-box-sizing	http://a11yproject.com/posts/how-to-hide-content
http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1	https://developer.mozilla.org/en-US/docs/Web/Events/click#Safari_Mobile
https://github.com/twbs/bootstrap/pull/11526	https://github.com/twbs/bootstrap/issues/4885
https://github.com/twbs/bootstrap/issues/5257	https://github.com/twbs/bootstrap/issues/11660
https://github.com/twbs/bootstrap/issues/11623	https://github.com/twbs/bootstrap/issues/14837
https://github.com/twbs/bootstrap/issues/12359.	https://github.com/twbs/bootstrap/issues/13141
https://github.com/necolas/normalize.css/issues/214	https://github.com/twbs/bootstrap/issues/11655
https://github.com/twbs/bootstrap/issues/11586.	https://bugs.webkit.org/show_bug.cgi?id=139848
https://github.com/twbs/bootstrap/issues/15074.	https://github.com/twbs/bootstrap/pull/3552.
https://github.com/twbs/bootstrap/pull/12794	https://github.com/twbs/bootstrap/pull/14559
https://github.com/twbs/bootstrap/issues/11561#issuecomment-28936855	https://github.com/h5bp/html5-boilerplate/issues/984#issuecomment-3985989
https://github.com/twbs/bootstrap/pull/10951.	https://developer.mozilla.org/en-US/docs/Web/Events/click#Internet_Explorer
http://nicolasgallagher.com/micro-clearfix-hack/	https://github.com/h5bp/html5-boilerplate/commit/aa0396eae757
https://github.com/twbs/bootstrap/issues/10497	http://getbootstrap.com/getting-started/#support-ie10-width
http://timkadlec.com/2013/01/windows-phone-8-and-device-width/	http://timkadlec.com/2012/10/ie10-snap-mode-and-responsive-design/
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd	http://www.w3.org/2000/svg

Raw Manifest

{
  "name": "Search AliExpress Products By Image",
  "icons": {
    "16": "icons/icon16.png",
    "48": "icons/icon48.png",
    "128": "icons/icon128.png"
  },
  "version": "1.0.6",
  "background": {
    "page": "background.html"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Right click to image and search AliExpress products by image. List site support: amazon, ebay and etsy.com",
  "permissions": [
    "storage",
    "contextMenus",
    "https://api.dropshipautoorder.info/",
    "tabs"
  ],
  "browser_action": {
    "name": "Search AliExpress Products By Image",
    "default_icon": "icons/icon128.png"
  },
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "js/libs/jquery.min.js",
        "js/content.js"
      ],
      "css": [
        "css/content.css"
      ],
      "matches": [
        "*://*.amazon.com/*",
        "*://*.amazon.co.uk/*",
        "*://*.amazon.fr/*",
        "*://*.amazon.ca/*",
        "*://*.amazon.co.jp/*",
        "*://*.ebay.com/*",
        "*://*.ebay.co.uk/*",
        "*://*.ebay.fr/*",
        "*://*.ebay.ca/*",
        "*://*.etsy.com/*",
        "*://*.aliexpress.com/*",
        "*://*.alipay.com/*"
      ]
    }
  ],
  "manifest_version": 2,
  "content_security_policy": "script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com https://connect.facebook.net https://facebook.com https://www.google-analytics.com https://www.googletagmanager.com; object-src 'self'",
  "web_accessible_resources": [
    "css/content.css",
    "icons/close.png",
    "icons/icon-white.png",
    "js/libs/jquery.min.js"
  ]
}

by ✦ Astarte

Search AliExpress Products By Image

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (64 total):

Raw Manifest

Detections

Manifest Findings