[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Costco Receipts Downloader

Version 3.0 View in Chrome Web Store

Last scanned: about 5 hours ago

Extension Details

Rating: 5.0 ★ (14 ratings)

Users: 1,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

The extension has a perfect 5.0 rating from 14 reviews and serves a legitimate purpose of downloading Costco receipts. With 1,000 users and version 3.0, it appears to have some development history. However, the lack of visible developer information and company details reduces transparency and accountability.

Concerns:

The primary concern is the broad host permissions that extend beyond what's necessary for the stated functionality. While Costco operates in multiple countries, the wildcard permission for "*.costco.com/*" is overly broad and could potentially access subdomains that aren't related to receipt downloading. The activeTab permission, while standard for many extensions, combined with scripting capabilities on Costco domains, could theoretically access sensitive financial information including purchase history, payment methods, and personal data.

The extension's scope appears limited to Costco websites, which reduces some risk compared to extensions with universal web access, but still presents privacy concerns given the sensitive nature of financial and shopping data.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to Costco shopping to isolate potential risks. Before installation, verify the extension's legitimacy through Costco's official channels or customer support. Monitor your Costco account for any unusual activity after installation. Given the financial nature of the data involved, consider whether manual receipt downloading might be safer than automated tools.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

Security Analysis Details

Required Permissions:

scripting
activeTab

Host Permissions:

https://www.costco.com/*
https://www.costco.ca/*
https://www.costco.co.uk/*
https://www.costco.com.au/*
https://www.costco.co.jp/*
https://www.costco.com.mx/*
https://www.costco.co.kr/*
https://www.costco.com.tw/*
https://*.costco.com/*

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self';

Embedded URLs (27 total):

https://ecom-api.costco.com/ebusiness/product/v1/products/graphql	https://www.costco.com
https://www.costco.com/	https://ecom-api.costco.com/ebusiness/order/v1/orders/graphql
https://www.trackmyco.com/	https://keepachangelog.com/en/1.0.0/
https://semver.org/spec/v2.0.0.html	http://www.w3.org/2000/svg
https://img.shields.io/badge/License-MIT-yellow.svg	https://opensource.org/licenses/MIT
https://img.shields.io/badge/version-1.1-blue.svg	https://github.com/your-username/costco-receipt-scanner
https://github.com/your-username/costco-receipt-scanner.git	https://github.com/your-username/costco-receipt-scanner/issues
https://github.com/YOUR_USERNAME/costco-receipt-scanner.git	https://github.com/original-repo/costco-receipt-scanner.git
https://developer.chrome.com/docs/extensions/	https://developer.mozilla.org/en-US/docs/Web/JavaScript
https://git-scm.com/doc	https://clients2.google.com/service/update2/crx
https://www.costco.ca/	https://www.costco.co.uk/
https://www.costco.com.au/	https://www.costco.co.jp/
https://www.costco.com.mx/	https://www.costco.co.kr/
https://www.costco.com.tw/

Raw Manifest

{
  "name": "Costco Receipts Downloader",
  "icons": {
    "16": "images/icon16.png",
    "32": "images/icon32.png",
    "48": "images/icon48.png",
    "128": "images/icon128.png",
    "256": "images/icon256.png"
  },
  "action": {
    "default_icon": {
      "16": "images/icon16.png",
      "24": "images/icon24.png",
      "32": "images/icon32.png"
    },
    "default_popup": "popup.html",
    "default_title": "Costco Receipts Downloader"
  },
  "version": "3.0",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Cross-browser extension to extract receipt information from Costco worldwide",
  "permissions": [
    "scripting",
    "activeTab"
  ],
  "host_permissions": [
    "https://www.costco.com/*",
    "https://www.costco.ca/*",
    "https://www.costco.co.uk/*",
    "https://www.costco.com.au/*",
    "https://www.costco.co.jp/*",
    "https://www.costco.com.mx/*",
    "https://www.costco.co.kr/*",
    "https://www.costco.com.tw/*",
    "https://*.costco.com/*"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self';"
  },
  "browser_specific_settings": {
    "gecko": {
      "id": "costco-receipt-scanner@extension.com",
      "strict_min_version": "109.0"
    }
  }
}

by ✦ Astarte