[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Gloomin - Screenshot & Screen Recorder

Version 1.0.3 View in Chrome Web Store

Last scanned: about 3 hours ago

Extension Details

Developer: gloomin.com

Rating: 5.0 ★ (6 ratings)

Users: 33

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension has extremely limited adoption with only 33 users and 6 reviews, making it difficult to assess reliability through community feedback. While it maintains a perfect 5.0 rating, the small sample size makes this less meaningful. The developer domain (gloomin.com) appears legitimate for a screenshot/recording tool, but the lack of established reputation raises concerns.

Concerns:

The extension requests excessive permissions far beyond what's necessary for basic screenshot and screen recording functionality. The cookies permission is particularly concerning as screenshot tools typically don't need to access or modify browser cookies. The broad host permissions allowing access to all HTTPS websites creates unnecessary attack surface. Content script injection across all URLs enables the extension to potentially read sensitive data from any website you visit, including banking sites, email, and other private information. The combination of tabs, cookies, and broad host permissions creates a powerful surveillance capability that extends well beyond the stated purpose.

Recommendations:

Given the critical risk level, avoid installing this extension entirely. If screenshot/recording functionality is needed, consider established alternatives like built-in browser tools, Loom, or other well-reviewed extensions with more appropriate permission sets. If you must use this extension, run it in a completely separate Chrome profile with no access to sensitive accounts or data, and monitor your cookies and browsing activity closely.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

desktopCapture
tabs
storage
activeTab
scripting
cookies
tabCapture
offscreen

Host Permissions:

http://localhost/*
https://app.gloomin.com/*
https://*/*
https://*.sentry.io/*
https://*.backblazeb2.com/*

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self'; connect-src 'self' data: blob: https://*.sentry.io https://app.gloomin.com http://localhost:3000 https://*.backblazeb2.com

Embedded URLs (140 total):

https://reactjs.org/docs/error-decoder.html?invariant=	http://www.w3.org/1999/xlink
http://www.w3.org/XML/1998/namespace	http://www.w3.org/2000/svg
http://www.w3.org/1998/Math/MathML	http://www.w3.org/1999/xhtml
https://api.example.com	https://app.gloomin.com
https://tailwindcss.com	https://github.com/mozdevs/cssremedy/issues/4
https://github.com/tailwindcss/tailwindcss/pull/116	https://bugzilla.mozilla.org/show_bug.cgi?id=190655
https://bugs.chromium.org/p/chromium/issues/detail?id=999088	https://bugs.webkit.org/show_bug.cgi?id=201297
https://bugs.chromium.org/p/chromium/issues/detail?id=935729	https://bugs.webkit.org/show_bug.cgi?id=195016
https://github.com/mozilla/gecko-dev/blob/2f9eacd9d3d995c937b4251a5557d95d494c9be1/layout/style/res/forms.css#L728-L737	https://github.com/tailwindlabs/tailwindcss/issues/3300
https://github.com/mozdevs/cssremedy/issues/14	https://github.com/jensimmons/cssremedy/issues/14#issuecomment-634934210
http://momentjs.com/guides/#/warnings/define-locale/	http://momentjs.com/guides/#/warnings/js-date/
http://momentjs.com/guides/#/warnings/min-max/	http://momentjs.com/guides/#/warnings/add-inverted-param/
http://momentjs.com/guides/#/warnings/zone/	http://momentjs.com/guides/#/warnings/dst-shifted/
https://docs.sentry.io/platforms/javascript/best-practices/browser-extensions/	https://fbfccfa518123e88a4f4fd462834a503@o4510741433876480.ingest.us.sentry.io/4510742599827456
http://stackoverflow.com/questions/3561493/is-there-a-regexp-escape-function-in-javascript	https://stackoverflow.com/q/181348
https://en.wikipedia.org/wiki/ISO_week_date#Calculating_a_date_given_the_year.2C_week_number_and_weekday	https://tools.ietf.org/html/rfc2822#section-3.3
https://github.com/moment/moment/issues/1423	https://github.com/moment/moment/issues/2978
https://github.com/moment/moment/pull/1871	http://docs.closure-library.googlecode.com/git/closure_goog_date_date.js.source.html
https://nodejs.org/dist/latest/docs/api/util.html#util_custom_inspect_function_on_objects	https://github.com/moment/moment/issues/2166
https://github.com/dordille/moment-isoduration/blob/master/moment.isoduration.js	https://github.com/microsoft/TypeScript-DOM-lib-generator/pull/1405
https://github.com/getsentry/sentry-javascript/issues/8935	http://stackoverflow.com/questions/105034/how-to-create-a-guid-uuid-in-javascript/2117523#2117523
https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string	https://developer.mozilla.org/en-US/docs/Web/API/Performance
https://github.com/getsentry/sentry-javascript/issues/2590	https://github.com/mdn/content/issues/4713
https://dev.to/noamr/when-a-millisecond-is-not-a-millisecond-3h6	https://github.com/getsentry/sentry-javascript/issues/2590.
https://caniuse.com/mdn-api_performance_timeorigin	https://github.com/getsentry/sentry/blob/master/src/sentry/lang/javascript/processor.py#L67
https://github.com/getsentry/sentry-javascript/pull/8981	https://clients2.google.com/service/update2/crx
https://app.gloomin.com/	https://github.com/getsentry/sentry-javascript/issues/2286
https://github.com/getsentry/sentry-javascript/issues/5459	https://github.com/getsentry/sentry-javascript/issues/7813
https://issuetracker.google.com/issues/396043331	https://developers.facebook.com/community/threads/320013549791141/
https://github.com/getsentry/sentry-javascript/issues/15065	https://develop.sentry.dev/sdk/telemetry/traces/span-links/#link-types
https://www.w3.org/TR/baggage/#limits	https://develop.sentry.dev/sdk/telemetry/traces/tracing-without-performance/
https://develop.sentry.dev/sdk/event-payloads/span/	https://develop.sentry.dev/sdk/telemetry/traces/#propagated-random-value
https://develop.sentry.dev/sdk/telemetry/traces/#stricttracecontinuation	https://developer.mozilla.org/en-US/docs/Web/API/Headers/get
https://github.com/getsentry/sentry-javascript/issues/2572.	https://github.com/getsentry/sentry/blob/9f08305e09866c8bd6d0c24f5b0aabdd7dd6c59c/src/sentry/lang/javascript/errormapping.py#L83-L108
https://github.com/zertosh/invariant/blob/master/invariant.js#L46	https://developer.mozilla.org/en-US/docs/WebAssembly/JavaScript_interface/Exception
https://github.com/getsentry/sentry-javascript/issues/13787	https://github.com/getsentry/sentry-javascript/issues/1949
https://developer.mozilla.org/en-US/docs/Web/API/DOMError	https://developer.mozilla.org/en-US/docs/Web/API/DOMException
https://webidl.spec.whatwg.org/#es-DOMException-specialness	https://github.com/getsentry/sentry-javascript/issues/1168
https://github.com/getsentry/sentry-javascript/pull/7404	https://github.com/getsentry/sentry-javascript/pull/4196
https://caniuse.com/#feat=referrer-policy	https://github.com/getsentry/raven-js/issues/1233

Page 1 of 2

Raw Manifest

{
  "name": "Gloomin - Screenshot & Screen Recorder",
  "icons": {
    "16": "icons/icon16.png",
    "48": "icons/icon48.png",
    "128": "icons/icon128.png"
  },
  "action": {
    "default_icon": {
      "16": "icons/icon16.png",
      "48": "icons/icon48.png",
      "128": "icons/icon128.png"
    }
  },
  "version": "1.0.3",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Capture screenshots and recordings and upload them to your Gloomin account",
  "permissions": [
    "desktopCapture",
    "tabs",
    "storage",
    "activeTab",
    "scripting",
    "cookies",
    "tabCapture",
    "offscreen"
  ],
  "content_scripts": [
    {
      "js": [
        "content.js"
      ],
      "run_at": "document_idle",
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "host_permissions": [
    "http://localhost/*",
    "https://app.gloomin.com/*",
    "https://*/*",
    "https://*.sentry.io/*",
    "https://*.backblazeb2.com/*"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'; connect-src 'self' data: blob: https://*.sentry.io https://app.gloomin.com http://localhost:3000 https://*.backblazeb2.com"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "overlay.js",
        "bridge.js",
        "screencast-app.js",
        "screencast-app.css",
        "assets/logo.png",
        "assets/countdown.wav",
        "recorder.html",
        "recorder.js",
        "camera-bubble.html",
        "camera-bubble.js"
      ]
    }
  ]
}

by ✦ Astarte

Gloomin - Screenshot & Screen Recorder

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (140 total):

Raw Manifest

Detections

Manifest Findings