[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Web eID

Version 2.3.0 View in Chrome Web Store

Last scanned: about 4 hours ago

Extension Details

Rating: 1.8 ★ (124 ratings)

Users: 1,000,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a substantial user base of 1 million users, which suggests some level of community adoption. However, the extremely low rating of 1.8 out of 5 stars from 124 reviews is a significant red flag indicating widespread user dissatisfaction or potential issues. The lack of clear author and developer information reduces transparency and accountability.

Concerns:

The extension's broad permissions are particularly concerning given its unclear purpose from the limited description provided. The combination of universal host permissions (*://*/*) and content script injection across all websites creates an extremely powerful attack surface. The nativeMessaging permission allows communication with native applications on the user's system, which could potentially be exploited for system-level access. The poor user rating suggests the extension may not be functioning as intended or could be causing problems for users.

Recommendations:

Given the high-risk profile and poor user feedback, consider running this extension in a completely separate Chrome profile if you must use it. Before installation, research the extension's actual purpose and verify its legitimacy through official sources. Monitor your system and browser behavior closely after installation. Consider alternative extensions with better ratings and clearer developer information. If the extension is for digital identity or authentication purposes (as the name suggests), ensure it's from a trusted, verified source before proceeding.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

Raw Manifest

{
  "name": "Web eID",
  "icons": {
    "128": "icons/web-eid-icon-128.png"
  },
  "action": {
    "default_icon": "icons/web-eid-icon-128.png"
  },
  "version": "2.3.0",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Use your electronic identification card for secure authentication and digital signing.",
  "permissions": [
    "nativeMessaging"
  ],
  "content_scripts": [
    {
      "js": [
        "content.js"
      ],
      "matches": [
        "*://*/*"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "*://*/*"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "token-signing-page-script.js"
      ]
    }
  ]
}

by ✦ Astarte

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts	https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes
https://github.com/web-eid/web-eid-webextension#hwcrypto-compatibility	http://mozilla.org/MPL/2.0/.
https://github.com/mozilla/webextension-polyfill/issues/130	https://clients2.google.com/service/update2/crx

Web eID

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (6 total):

Raw Manifest

Detections

Manifest Findings