[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Web eID

Version 2.3.0 View in Chrome Web Store

Last scanned: about 2 hours ago

Extension Details

Rating: 1.8 ★ (124 ratings)

Users: 1,000,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a substantial user base of 1 million users, which suggests some level of community adoption. However, the extremely low rating of 1.8 out of 5 stars from 124 reviews is a significant red flag, indicating widespread user dissatisfaction or potential issues with functionality or security. The lack of clear author and developer information reduces transparency and accountability.

Concerns:

The extension's broad host permissions (*://*/*) combined with content script injection capabilities across all websites creates a dangerous combination that could enable comprehensive data harvesting, credential theft, or malicious website modifications. The native messaging permission allows communication with local applications, potentially expanding the attack surface beyond the browser. The poor user rating suggests either broken functionality or concerning behavior that users have experienced firsthand.

Recommendations:

Given the high-risk profile and poor user feedback, consider avoiding this extension entirely. If the Web eID functionality is essential for your work or organization, run it in a completely isolated Chrome profile with no access to personal accounts or sensitive websites. Before installation, research the specific organization or government entity that should be providing this extension, as Web eID typically relates to national digital identity systems. Only install from official sources and verify the publisher's authenticity through official channels.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

Raw Manifest

{
  "name": "Web eID",
  "icons": {
    "128": "icons/web-eid-icon-128.png"
  },
  "action": {
    "default_icon": "icons/web-eid-icon-128.png"
  },
  "version": "2.3.0",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Use your electronic identification card for secure authentication and digital signing.",
  "permissions": [
    "nativeMessaging"
  ],
  "content_scripts": [
    {
      "js": [
        "content.js"
      ],
      "matches": [
        "*://*/*"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "*://*/*"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "token-signing-page-script.js"
      ]
    }
  ]
}

by ✦ Astarte

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts	https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes
https://github.com/web-eid/web-eid-webextension#hwcrypto-compatibility	http://mozilla.org/MPL/2.0/.
https://github.com/mozilla/webextension-polyfill/issues/130	https://clients2.google.com/service/update2/crx

Web eID

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (6 total):

Raw Manifest

Detections

Manifest Findings