[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

FreshBooks Time Tracker

Version 3.4 View in Chrome Web Store

Last scanned: about 5 hours ago

Extension Details

Rating: 2.5 ★ (45 ratings)

Users: 4,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension appears to be associated with FreshBooks, a legitimate accounting software company, which adds some credibility. However, the low user count of only 4,000 users and poor rating of 2.5 stars with 45 reviews raises significant concerns about quality and user satisfaction. The lack of visible developer information and missing last updated date further diminishes trust.

Concerns:

The tabs permission is particularly concerning for a time tracking application, as it allows the extension to access and manipulate all browser tabs, which goes beyond what's necessary for basic time tracking functionality. The identity permission, while potentially needed for FreshBooks integration, creates additional privacy risks by accessing user identity information. The combination of these permissions with the extension's poor user ratings suggests potential overreach in functionality or poor implementation.

Recommendations:

Given the high-risk permissions and poor user feedback, consider running this extension in a separate Chrome profile to isolate potential security risks. Before installation, verify this is the official FreshBooks extension by checking their website directly. Consider alternative time tracking solutions with better ratings and more transparent permission usage. If you must use this extension, regularly review what data it's accessing and consider disabling it when not actively tracking time. Monitor your FreshBooks account for any unusual activity after installation.

Findings

HIGH

High-Risk Permission: identity

This extension has the identity permission. Can access your identity information. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: notifications

This extension has the notifications permission. Can show notifications.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

tabs
identity
storage
notifications

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self'

Embedded URLs (60 total):

https://clients2.google.com/service/update2/crx	http://www.freshbooks.com/
https://guides.emberjs.com/release/components/wrapping-content-in-a-component/	https://discuss.emberjs.com/t/readers-questions-what-is-meant-by-the-term-data-down-actions-up/15311
https://github.com/philipwalton/flexbugs	https://www.w3.org/TR/2017/NOTE-wai-aria-practices-1.1-20171214/#dialog_modal
https://github.com/cibernox/ember-basic-dropdown	https://ember-basic-dropdown.com/cookbook/no-trigger
http://www.w3.org/2000/svg	http://www.w3.org/2000/xmlns/
https://api.freshbooks.com	https://auth.freshbooks.com
https://manage.gusto.com/payroll_admin/payrolls/new	https://manage.gusto.com/payroll_admin/company/settings/integrations
https://manage.gusto.com/payroll_admin/company/settings/integrations/freshbooks	https://app.gusto.com/reports/summary
https://support.freshbooks.com/hc/en-us/articles/115014586048-How-does-the-Gusto-integration-work-	https://www.freshbooks.com/integrations/pages/gusto-payroll-software
https://keypay.yourpayroll.co.uk/Business/	https://keypay.yourpayroll.co.uk/
https://keypay.yourpayroll.co.uk//Business/	https://freshbooks.yourpayroll.co.uk/signup
https://keypay.yourpayroll.co.uk/Reporting/	https://www.freshbooks.com/integrations/pages/keypay
https://keypay.yourpayroll.com.au/Business/	https://keypay.yourpayroll.com.au/
https://keypay.yourpayroll.com.au//Business/	https://freshbooks.yourpayroll.com.au/signup
https://freshbooks.yourpayroll.com.au/Reporting/	https://www.freshbooks.com/integrations/pages/keypay-aus
https://www.surepayroll.com/	https://dbushell.com/
http://openexchangerates.github.io/accounting.js/	http://www.w3.org/1999/xlink
http://momentjs.com/guides/#/warnings/define-locale/	http://momentjs.com/guides/#/warnings/js-date/
http://momentjs.com/guides/#/warnings/min-max/	http://momentjs.com/guides/#/warnings/add-inverted-param/
http://momentjs.com/guides/#/warnings/zone/	http://momentjs.com/guides/#/warnings/dst-shifted/
https://momentjs.com/timezone/docs/#/use-it/browser/	http://momentjs.com/timezone/docs/#/data-loading/.
https://jquery.com/	https://sizzlejs.com/
https://jquery.org/license	https://js.foundation/
https://raw.github.com/emberjs/ember.js/master/LICENSE	http://git.io/EKPpnA
https://deprecations.emberjs.com/v1.x/#toc_binding-style-attributes.	http://www.w3.org/1999/xhtml
https://github.com/emberjs/rfcs/blob/master/text/0176-javascript-module-api.md	https://github.com/Pikaday/Pikaday
http://ember-concurrency.com/docs/task-cancelation-help	http://git.io/yBU2rg
https://www.freshbooks.com/policies/security-safeguards	https://gravatar.com/avatar/fde023d150cb32e30f1c65bed52f4113
https://gravatar.com/avatar/54affca349735f112419bd5d0732ac8d	https://gravatar.com/avatar/d0fd1918831c5be2537ca8a0f67b8023
https://www.a11yproject.com/posts/2013-01-11-how-to-hide-content/	http://meyerweb.com/eric/tools/css/reset/

Raw Manifest

{
  "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqlrNgS3jD6hwE182YHwOttMxMeheXwzM53gPon9HR8i7KR3joj1KljY0aLYv7G8CAdHJzAOicHCjRAi2qLK7t0fghs1VLeXdkJ133ukphbqkKt/kfSHpWSyjALgWAtdb9W5E1wLa+ebFS1CqWXUqieiX+SszP2z/RQNk6WdN6K7Nofx/aJvlu8wnYyoRX629iBqDNOgnyfgHJY77ym/p8hJjZ+jp9iWsR8Vmo/yZwtToYfekdPaOa5Z9qYKh5OFRG+9ISpszLzUNS7U7t8ElgJ6O9qltSw98CcMDIdArlPjOM6ip52I+FX+7MGO7ffFFV0lLbwniXj+BBaE2yY1Q7wIDAQAB",
  "name": "FreshBooks Time Tracker",
  "icons": {
    "16": "assets/images/browser-icons/icon-blue.png",
    "128": "assets/images/browser-icons/icon-blue.png"
  },
  "action": {
    "default_icon": {
      "19": "assets/images/browser-icons/icon-blue.png"
    },
    "default_popup": "popup.html",
    "default_title": "FreshBooks"
  },
  "version": "3.4",
  "background": {
    "service_worker": "background.js"
  },
  "short_name": "FreshBooks",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Track time from Chrome so you never miss a billable minute.",
  "permissions": [
    "tabs",
    "identity",
    "storage",
    "notifications"
  ],
  "content_scripts": [],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'"
  }
}

by ✦ Astarte

FreshBooks Time Tracker

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (60 total):

Raw Manifest

Detections

Manifest Findings