Starting analysis...
IPL watch party with video chat
Version 1.3.9 View in Chrome Web Store
Last scanned: 27 days ago
| force re-scan
Extension Details
Developer:
iplparty.com
Rating:
5.0 ★
(2 ratings)
Size:
12.85MiB
Last Updated:
April 3, 2024
Users:
127
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
HIGH
Risk Level
Trust Factors:
- The extension has a relatively small user base (127 users), which could indicate a lack of widespread trust or popularity.
- The developer information is limited, making it difficult to assess their reputation or track record.
Concerns:
- The extension requests broad host permissions (*://*/*), allowing it to access all websites, which is unnecessary for its stated purpose of enabling video chat during IPL matches.
- The extension can inject content scripts into any website (<all_urls>), which is a significant privacy and security risk, as it could potentially read sensitive data, modify website content, or steal credentials.
- The "tabs" permission allows the extension to access and manipulate browser tabs, which could be misused for malicious purposes.
- The "storage" and "notifications" permissions are not inherently concerning but should be scrutinized in the context of the extension's functionality.
Recommendations:
- Exercise caution when installing this extension, as it requests excessive permissions that are not aligned with its stated purpose.
- Consider running the extension in a separate browser profile or a sandboxed environment to mitigate potential risks.
- Closely monitor the extension's behavior and uninstall it if any suspicious activity is detected.
- Seek alternative extensions from reputable developers that offer similar functionality with more reasonable permission requests.
- Report the extension to the Chrome Web Store if any malicious behavior is confirmed, to protect other users.
Security Analysis
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
HIGH
Overall Risk
Based on 5 total findings, ranked without considering overall context, including 3 high-risk and 2 medium-risk findings.
HIGH
Broad Content Script Injection
This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
HIGH
High-Risk Permission: tabs
This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.
MEDIUM
Medium-Risk Permission: notifications
This extension has the notifications permission. Can show notifications.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
Security Analysis Details
Required Permissions:
- tabs
- storage
- contentSettings
- notifications
Host Permissions:
- *://*/*
Embedded URLs (25 total):
| https://www.jiocinema.com/ | https://mui.com/production-error/?code= | |
| https://reactjs.org/docs/error-decoder.html?invariant= | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/2000/svg | |
| http://www.w3.org/1998/Math/MathML | http://www.w3.org/1999/xhtml | |
| https://cdn.jsdelivr.net/npm/emoji-datasource-apple/img/apple/64/ | https://cdn.jsdelivr.net/npm/emoji-datasource-facebook/img/facebook/64/ | |
| https://cdn.jsdelivr.net/npm/emoji-datasource-twitter/img/twitter/64/ | https://cdn.jsdelivr.net/npm/emoji-datasource-google/img/google/64/ | |
| https://github.com/styled-components/styled-components/blob/main/packages/styled-components/src/utils/errors.md# | https://socket.io/docs/v3/migrating-from-2-x-to-3-0/ | |
| https://vc.iplparty.com | http://akash.com/img | |
| https://chromewebstore.google.com/detail/ipl-party/ | https://peerjs.com | |
| https://github.com/peers/peerjs/issues | https://github.com/peers/peerjs | |
| https://opencollective.com/peer | https://fonts.googleapis.com | |
| https://fonts.gstatic.com | https://fonts.googleapis.com/css2?family=Inter:wght@100 | |
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "IPL watch party with video chat", "icons": { "16": "images/icons/grey16.png", "32": "images/icons/red32.png", "64": "images/icons/red64.png", "128": "images/icons/red128.png" }, "action": { "default_popup": "index.html" }, "version": "1.3.9", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Activate this chrome extension to view IPL matches together with your friends through one click 🏏👫", "permissions": [ "tabs", "storage", "contentSettings", "notifications" ], "content_scripts": [ { "js": [ "react-app-holder.js" ], "run_at": "document_end", "matches": [ "<all_urls>" ] }, { "js": [ "content.js" ], "run_at": "document_end", "matches": [ "<all_urls>" ] } ], "host_permissions": [ "*://*/*" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "images/*", "fonts/*", "videoScript.js", "images/icons/*" ] } ] }
Secure Annex (beta)
Coming soon...