[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Code Verify

Version 4.1.0 View in Chrome Web Store

Last scanned: about 14 hours ago

Extension Details

Rating: 2.2 ★ (33 ratings)

Users: 30,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a concerning trust profile with only 30,000 users and a very low rating of 2.2 out of 5 stars from 33 reviews, indicating significant user dissatisfaction. The lack of clear author and developer information raises additional transparency concerns. While the name "Code Verify" suggests a legitimate security purpose, the poor user feedback suggests potential issues with functionality or trustworthiness.

Concerns:

The extension requests webRequest permissions combined with broad access to major social media platforms (Facebook, Instagram, WhatsApp, Messenger), creating a powerful combination for intercepting and potentially modifying sensitive communications. The storage permission allows it to retain intercepted data locally. The host permissions are overly broad for what appears to be a code verification tool, extending beyond necessary functionality. The low user rating suggests the extension may not be performing as advertised or could be causing unwanted behavior.

Recommendations:

Given the high risk level and poor user reviews, avoid installing this extension unless absolutely necessary. If you must use it, run it in a separate Chrome profile isolated from your main browsing activities and personal accounts. Consider alternative code verification tools with better reputations and more transparent development teams. Monitor your social media accounts closely for any unusual activity if you choose to proceed with installation.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://static.cdninstagram.com/, *://*.facebook.com/*, *://*.instagram.com/*. Ensure you trust this extension with access to these sites.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

webRequest
storage

Host Permissions:

https://*.privacy-auditability.cloudflare.com/
https://static.xx.fbcdn.net/
https://static.cdninstagram.com/
https://static.whatsapp.net/
*://*.messenger.com/*
*://*.facebook.com/*
*://*.instagram.com/*
*://*.whatsapp.com/*

Embedded URLs (98 total):

http://www.w3.org/2000/svg	http://www.w3.org/1999/xlink
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Chrome_incompatibilities	https://stackoverflow.com/questions/28431505/unchecked-runtime-lasterror-when-using-chrome-api/28432087#28432087
https://www.w3.org/TR/CSP3/#parse-serialized-policy-list	https://bugs.chromium.org/p/chromium/issues/detail?id=1492006
https://developer.apple.com/forums/thread/668159	https://www.facebook.com
https://www.messenger.com	https://www.instagram.com
https://web.whatsapp.com	https://api.privacy-auditability.cloudflare.com/v1/hash/
https://bugzilla.mozilla.org/show_bug.cgi?id=745678	https://github.com/mozilla/sweet.js/wiki/design
http://en.wikipedia.org/wiki/Operator-precedence_parser	https://github.com/acornjs/acorn/issues/575
https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern	https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative	https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion	https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix	https://www.ecma-international.org/ecma-262/8.0/#sec-term
https://www.ecma-international.org/ecma-262/8.0/#prod-Atom	https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier	https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter	https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape	https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape	https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter	https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape	https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape	https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
https://tc39.es/ecma262/#prod-ClassContents	https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges	https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom	https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape	https://tc39.es/ecma262/#prod-ClassSetExpression
https://tc39.es/ecma262/#prod-ClassUnion	https://tc39.es/ecma262/#prod-ClassIntersection
https://tc39.es/ecma262/#prod-ClassSubtraction	https://tc39.es/ecma262/#prod-ClassSetRange
https://tc39.es/ecma262/#prod-ClassSetOperand	https://tc39.es/ecma262/#prod-NestedClass
https://tc39.es/ecma262/#prod-ClassStringDisjunction	https://tc39.es/ecma262/#prod-ClassStringDisjunctionContents
https://tc39.es/ecma262/#prod-ClassString	https://tc39.es/ecma262/#prod-NonEmptyClassString
https://tc39.es/ecma262/#prod-ClassSetCharacter	https://tc39.es/ecma262/#prod-ClassSetReservedDoublePunctuator
https://tc39.es/ecma262/#prod-ClassSetSyntaxCharacter	https://tc39.es/ecma262/#prod-ClassSetReservedPunctuator
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter	https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits	https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence	https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits	https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral	http://marijnhaverbeke.nl/git/acorn
https://github.com/acornjs/acorn.git	https://github.com/acornjs/acorn/issues
https://www.typescriptlang.org/docs/handbook/2/narrowing.html#exhaustiveness-checking	https://www.w3.org/TR/CSP3/#match-paths
https://bugzilla.mozilla.org/show_bug.cgi?id=1847548&fbclid=IwAR3qIyYr5K92_Cw3UJmgtSbgBKwZ5bLppP6LNwN6lC-kQVEdxr_52zeQUPE	https://www.facebook.com/btarchive/
https://clients2.google.com/service/update2/crx	https://static.xx.fbcdn.net/

Page 1 of 2

Raw Manifest

{
  "name": "Code Verify",
  "icons": {
    "32": "default_32.png",
    "48": "default_48.png",
    "64": "default_64.png",
    "128": "default_128.png"
  },
  "action": {
    "default_icon": {
      "32": "default_32.png",
      "48": "default_48.png",
      "64": "default_64.png",
      "128": "default_128.png"
    },
    "default_title": "Code Verify"
  },
  "version": "4.1.0",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "An extension to verify the code running in your browser matches what was published.",
  "permissions": [
    "webRequest",
    "storage"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "contentMSGR.js"
      ],
      "run_at": "document_start",
      "matches": [
        "*://*.messenger.com/*"
      ],
      "all_frames": true
    },
    {
      "js": [
        "contentFB.js"
      ],
      "run_at": "document_start",
      "matches": [
        "*://*.facebook.com/*"
      ],
      "all_frames": true,
      "match_about_blank": true
    },
    {
      "js": [
        "contentIG.js"
      ],
      "run_at": "document_start",
      "matches": [
        "*://*.instagram.com/*"
      ],
      "all_frames": true,
      "match_about_blank": true
    },
    {
      "js": [
        "contentWA.js"
      ],
      "run_at": "document_start",
      "matches": [
        "*://*.whatsapp.com/*"
      ],
      "all_frames": true,
      "match_about_blank": true
    }
  ],
  "host_permissions": [
    "https://*.privacy-auditability.cloudflare.com/",
    "https://static.xx.fbcdn.net/",
    "https://static.cdninstagram.com/",
    "https://static.whatsapp.net/",
    "*://*.messenger.com/*",
    "*://*.facebook.com/*",
    "*://*.instagram.com/*",
    "*://*.whatsapp.com/*"
  ],
  "manifest_version": 3
}

by ✦ Astarte

Code Verify

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (98 total):

Raw Manifest

Detections

Manifest Findings