[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Ugly Email

Version 4.1.2 View in Chrome Web Store

Last scanned: about 5 hours ago

Extension Details

Developer: http://uglyemail.com/

Rating: 3.7 ★ (350 ratings)

Users: 30,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension has a moderate user base of 30,000 users and a decent rating of 3.7/5 from 350 reviews, suggesting some level of community acceptance. However, the extension's purpose appears to be email-related functionality for Gmail, and the developer website (uglyemail.com) provides some transparency about the extension's origin.

Concerns:

The extension presents several serious security concerns that justify the critical risk rating. The combination of webRequest and webRequestBlocking permissions allows complete interception and modification of web traffic, which is extremely powerful for a Gmail-focused tool. The Content Security Policy permits unsafe JavaScript evaluation, creating vulnerability to code injection attacks. The extension uses the older Manifest V2, which lacks modern security protections. Given that this extension operates on Gmail, it has access to highly sensitive email communications and could potentially intercept, modify, or steal email content and attachments.

Recommendations:

Due to the critical risk level, avoid installing this extension on your primary browser profile. If you must use it, create a dedicated Chrome profile specifically for this extension and limit its use to non-sensitive email accounts. Consider alternative email privacy tools that use Manifest V3 and have more restrictive permissions. Regularly monitor your email account for any suspicious activity if you choose to use this extension. The powerful web request permissions combined with email access create significant potential for data compromise.

Findings

HIGH

Dangerous Permission Combination: webRequest + webRequestBlocking

This extension can intercept, modify, and block web requests in real-time. This combination could be used to modify sensitive web traffic or steal data.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequestBlocking

This extension has the webRequestBlocking permission. Can block and modify web requests in real-time. This could potentially be used maliciously to compromise security or privacy.

HIGH

Unsafe JavaScript Evaluation

This extension's Content Security Policy allows 'unsafe-eval', which permits dynamic JavaScript code execution using eval() and similar functions. This is a significant security risk as it could allow execution of malicious code.

MEDIUM

Older Manifest Version

This extension uses Manifest Version 2, which has fewer security restrictions than Manifest V3. Consider using extensions that have upgraded to V3.

Security Analysis Details

Required Permissions:

webRequest
webRequestBlocking
https://mail.google.com/*
*://*.googleusercontent.com/proxy/*

Content Security Policy:

script-src 'self' 'unsafe-eval'; object-src 'self'

Embedded URLs (67 total):

https://trackers.uglyemail.com/list.txt?ts=	https://trackers.uglyemail.com/version.txt?ts=
https://clients2.google.com/service/update2/crx	http://uglyemail.com
https://mail.google.com/	http://www.w3.org/2000/svg
https://jquery.com/	https://jquery.org/license
https://www.w3.org/TR/css3-selectors/#whitespace	https://drafts.csswg.org/selectors/#relational
https://www.w3.org/TR/css-syntax-3/#ident-token-diagram	https://github.com/jquery/sizzle/issues/157
https://www.w3.org/TR/selectors/#attribute-selectors	https://infra.spec.whatwg.org/#ascii-whitespace
https://html.spec.whatwg.org/multipage/syntax.html#attributes-2	https://html.spec.whatwg.org/multipage/common-microsyntaxes.html#boolean-attributes
https://drafts.csswg.org/cssom/#common-serializing-idioms	https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled
https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled	https://html.spec.whatwg.org/multipage/forms.html#category-listed
https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled	https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled
https://www.w3.org/TR/selectors/#pseudo-classes	https://github.com/jquery/sizzle/issues/299
https://www.w3.org/TR/selectors/#lang-pseudo	https://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked
https://www.w3.org/TR/selectors/#empty-pseudo	https://promisesaplus.com/#point-59
https://promisesaplus.com/#point-48	https://promisesaplus.com/#point-54
https://promisesaplus.com/#point-75	https://promisesaplus.com/#point-64
https://promisesaplus.com/#point-61	https://promisesaplus.com/#point-57
https://bugs.chromium.org/p/chromium/issues/detail?id=378607	https://html.spec.whatwg.org/multipage/syntax.html#tag-open-state
https://html.spec.whatwg.org/multipage/syntax.html#tag-name-state	https://www.w3.org/TR/DOM-Level-3-Events/#event-type-click
https://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html	https://jsperf.com/getall-vs-sizzle/2
https://www.w3.org/TR/css-syntax-3/#input-preprocessing	https://developer.mozilla.org/en-US/docs/CSS/display
https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace	https://html.spec.whatwg.org/#strip-and-collapse-whitespace
http://example.com:80x/	https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon
https://github.com/whatwg/html/issues/2369	https://html.spec.whatwg.org/#nonce-attributes
https://www.w3.org/TR/CSS21/syndata.html#escaped-characters	https://bugs.jquery.com/ticket/13393
https://bugs.webkit.org/show_bug.cgi?id=136851	https://github.com/jquery/sizzle/pull/225
https://bugzilla.mozilla.org/show_bug.cgi?id=687787	http://www.w3.org/TR/DOM-Level-3-Events/#events-focusevent-event-order
https://bugs.chromium.org/p/chromium/issues/detail?id=449857	https://bugs.chromium.org/p/chromium/issues/detail?id=470258
https://connect.microsoft.com/IE/feedback/details/1736512/	https://drafts.csswg.org/cssom/#resolved-values
https://bugs.webkit.org/show_bug.cgi?id=137337	https://bugs.webkit.org/show_bug.cgi?id=29084
https://bugs.chromium.org/p/chromium/issues/detail?id=589347	https://github.com/jquery/jquery/pull/557
https://github.com/KartikTalwar/gmail.js	https://workspaceupdates.googleblog.com/2021/10/visual-updates-for-composing-email-in-gmail.html
https://github.com/KartikTalwar/gmail.js/issues/722	https://mail.google.com/sync/u/0/i/bv?hl=fr&c=0
https://github.com/KartikTalwar/gmail.js/issues/417

Raw Manifest

{
  "name": "Ugly Email",
  "icons": {
    "16": "icons/Icon-16.png",
    "48": "icons/Icon-48.png",
    "128": "icons/Icon.png"
  },
  "author": "OneClick Lab",
  "version": "4.1.2",
  "background": {
    "scripts": [
      "background.js"
    ],
    "persistent": true
  },
  "short_name": "Ugly Email",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Get Back Your Email Privacy, Block Email Tracking.",
  "permissions": [
    "webRequest",
    "webRequestBlocking",
    "https://mail.google.com/*",
    "*://*.googleusercontent.com/proxy/*"
  ],
  "homepage_url": "http://uglyemail.com",
  "content_scripts": [
    {
      "js": [
        "loader.js"
      ],
      "run_at": "document_end",
      "matches": [
        "https://mail.google.com/*"
      ]
    }
  ],
  "manifest_version": 2,
  "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",
  "web_accessible_resources": [
    "uglyemail.js"
  ]
}

by ✦ Astarte

Ugly Email

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (67 total):

Raw Manifest

Detections

Manifest Findings