[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Costco Receipts Downloader

Version 3.0 View in Chrome Web Store

Last scanned: about 2 hours ago

Extension Details

Rating: 5.0 ★ (10 ratings)

Users: 1,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

The extension has a perfect 5.0 rating from 10 reviews and serves a legitimate purpose for Costco customers who want to download their receipts. The 1,000 user base suggests moderate adoption. However, the lack of visible author and developer information reduces transparency and accountability, which is concerning for an extension handling financial data.

Concerns:

The primary concern is the broad host permissions covering multiple international Costco domains, including a wildcard pattern for *.costco.com/*. While these permissions align with the extension's stated purpose of working across different Costco websites, they represent extensive access to all Costco pages where users handle sensitive financial information, purchase history, and personal data. The activeTab permission, while standard, adds another layer of access to whatever tab is currently active.

The absence of detailed developer information makes it difficult to verify the extension's legitimacy or contact the developer if issues arise. For an extension dealing with financial receipts and shopping data, this lack of transparency is problematic.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to Costco shopping to limit exposure. Only activate the extension when specifically downloading receipts, then disable it afterward. Regularly review your Costco account for any suspicious activity. Given the financial nature of the data involved, consider alternative methods for receipt management if you're uncomfortable with the broad permissions required.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

Security Analysis Details

Required Permissions:

scripting
activeTab

Host Permissions:

https://www.costco.com/*
https://www.costco.ca/*
https://www.costco.co.uk/*
https://www.costco.com.au/*
https://www.costco.co.jp/*
https://www.costco.com.mx/*
https://www.costco.co.kr/*
https://www.costco.com.tw/*
https://*.costco.com/*

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self';

Embedded URLs (27 total):

https://ecom-api.costco.com/ebusiness/product/v1/products/graphql	https://www.costco.com
https://www.costco.com/	https://ecom-api.costco.com/ebusiness/order/v1/orders/graphql
https://www.trackmyco.com/	https://keepachangelog.com/en/1.0.0/
https://semver.org/spec/v2.0.0.html	http://www.w3.org/2000/svg
https://img.shields.io/badge/License-MIT-yellow.svg	https://opensource.org/licenses/MIT
https://img.shields.io/badge/version-1.1-blue.svg	https://github.com/your-username/costco-receipt-scanner
https://github.com/your-username/costco-receipt-scanner.git	https://github.com/your-username/costco-receipt-scanner/issues
https://github.com/YOUR_USERNAME/costco-receipt-scanner.git	https://github.com/original-repo/costco-receipt-scanner.git
https://developer.chrome.com/docs/extensions/	https://developer.mozilla.org/en-US/docs/Web/JavaScript
https://git-scm.com/doc	https://clients2.google.com/service/update2/crx
https://www.costco.ca/	https://www.costco.co.uk/
https://www.costco.com.au/	https://www.costco.co.jp/
https://www.costco.com.mx/	https://www.costco.co.kr/
https://www.costco.com.tw/

Raw Manifest

{
  "name": "Costco Receipts Downloader",
  "icons": {
    "16": "images/icon16.png",
    "32": "images/icon32.png",
    "48": "images/icon48.png",
    "128": "images/icon128.png",
    "256": "images/icon256.png"
  },
  "action": {
    "default_icon": {
      "16": "images/icon16.png",
      "24": "images/icon24.png",
      "32": "images/icon32.png"
    },
    "default_popup": "popup.html",
    "default_title": "Costco Receipts Downloader"
  },
  "version": "3.0",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Cross-browser extension to extract receipt information from Costco worldwide",
  "permissions": [
    "scripting",
    "activeTab"
  ],
  "host_permissions": [
    "https://www.costco.com/*",
    "https://www.costco.ca/*",
    "https://www.costco.co.uk/*",
    "https://www.costco.com.au/*",
    "https://www.costco.co.jp/*",
    "https://www.costco.com.mx/*",
    "https://www.costco.co.kr/*",
    "https://www.costco.com.tw/*",
    "https://*.costco.com/*"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self';"
  },
  "browser_specific_settings": {
    "gecko": {
      "id": "costco-receipt-scanner@extension.com",
      "strict_min_version": "109.0"
    }
  }
}

by ✦ Astarte