[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

SAS Graphics Accelerator

Version 5.12.2.01223 View in Chrome Web Store

Last scanned: about 4 hours ago

Extension Details

Rating: 4.5 ★ (2 ratings)

Users: 2,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors: The extension is developed by SAS, a reputable enterprise software company known for analytics and data visualization tools. However, the extremely low user count (2,000) and minimal ratings (only 2 reviews) for a product from such a major company raises questions about its adoption and testing in real-world scenarios. The 4.5-star rating is positive but based on very limited feedback.

Concerns: The extension requests several powerful permissions that seem excessive for a graphics acceleration tool. The downloads permission allows access to download history and file downloads, which isn't clearly justified for graphics acceleration. The webNavigation permission enables comprehensive tracking of browsing behavior across all websites. Most concerning is the broad content script injection capability with <all_urls> access, allowing the extension to run code on every website visited. The file:/// permission grants access to local files, which could expose sensitive local data. These permissions collectively create significant privacy and security risks.

Recommendations: Given the high-risk permissions and low user adoption, consider running this extension in a separate Chrome profile to isolate potential risks. Before installation, verify this is the official SAS extension through their website. Monitor the extension's behavior closely and consider whether the graphics acceleration benefits justify the extensive permissions. If you only need basic graphics functionality, look for alternatives with more limited permissions. Regularly review what data the extension might be accessing through Chrome's extension management settings.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

High-Risk Permission: downloads

This extension has the downloads permission. Can download files and access download history. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

activeTab
storage
unlimitedStorage
downloads
webNavigation

Content Security Policy:

extension_pages: default-src 'self'; img-src 'self' data:; object-src 'none';frame-ancestors 'none'; style-src 'self' 'unsafe-inline'

Embedded URLs (216 total):

https://chrome.google.com/webstore/detail/sas-graphics-accelerator/ockmipfaiiahknplinepcaogdillgoko	http://support.sas.com/legaldocs/Graphics_Accelerator_Chrome.pdf
https://udger.com/resources/ua-list/os	http://documentation.sas.com/?docsetId=gracclug&docsetVersion=1.0&docsetTarget=titlepage.htm
http://support.sas.com/software/products/graphics-accelerator/samples/index.html	http://support.sas.com/software/products/graphics-accelerator/index.html
https://vega.github.io/schema/vega-lite/	https://developer.mozilla.org/en-US/docs/Web/HTML/Inline_elements#Elements
https://developer.mozilla.org/en-US/docs/Web/Guide/HTML/Content_categories#Phrasing_content	https://bugs.chromium.org/p/chromium/issues/detail?id=1264366
https://bugs.chromium.org/p/chromium/issues/detail?id=1219825	https://www.google.com/maps/d/edit?mid=177rOn_UEHFnxJ89WlLHXekiyL-GQ8Os6&ll=35.780852811744666%2C-78.67375985&z=15
https://www.google.com/maps/d/viewer?mid=177rOn_UEHFnxJ89WlLHXekiyL-GQ8Os6&ll=35.78085281174465%2C-78.67375985&z=15	https://www.google.com/maps/d/kml?mid=177rOn_UEHFnxJ89WlLHXekiyL-GQ8Os6&forcekml=1
https://www.google.com/maps/d/kml?	https://github.com/SheetJS/js-xlsx/issues/705
http://sww.sas.com/cgi-bin/quick_browse?defectid=S1395504	http://sww.sas.com/cgi-bin/quick_browse?defectid=S1408425
http://sww.sas.com/cgi-bin/quick_browse?defectid=S1416360	https://developer.mozilla.org/en-US/docs/Web/API/File
http://www.opensource.org/licenses/mit-license.php	http://code.google.com/p/jquery-json/
http://code.google.com/p/jquery-tsv/	http://support.sas.com/documentation/cdl/en/lrcon/65287/HTML/default/viewer.htm#p18cdcs4v5wd2dn1q0x296d3qek6.htm
https://en.wikipedia.org/wiki/Byte_order_mark	http://sww.sas.com/cgi-bin/quick_browse?defectid=S1408408
https://finance.yahoo.com/quote/	http://sww.sas.com/cgi-bin/quick_browse?defectid=S1414612
http://www.google.com	http://www.sas.com/sasreportmodel/styles
http://adamwdraper.github.com/Numeral-js/	http://www.investopedia.com/terms/b/basispoint.asp
http://stackoverflow.com/questions/3561493/is-there-a-regexp-escape-function-in-javascript	https://stackoverflow.com/q/181348
https://en.wikipedia.org/wiki/ISO_week_date#Calculating_a_date_given_the_year.2C_week_number_and_weekday	http://momentjs.com/guides/#/warnings/define-locale/
https://tools.ietf.org/html/rfc2822#section-3.3	http://momentjs.com/guides/#/warnings/js-date/
https://github.com/moment/moment/issues/1423	http://momentjs.com/guides/#/warnings/min-max/
https://github.com/moment/moment/issues/2978	https://github.com/moment/moment/pull/1871
http://docs.closure-library.googlecode.com/git/closure_goog_date_date.js.source.html	http://momentjs.com/guides/#/warnings/add-inverted-param/
https://nodejs.org/dist/latest/docs/api/util.html#util_custom_inspect_function_on_objects	http://momentjs.com/guides/#/warnings/zone/
http://momentjs.com/guides/#/warnings/dst-shifted/	https://github.com/moment/moment/issues/2166
https://github.com/dordille/moment-isoduration/blob/master/moment.isoduration.js	https://go.documentation.sas.com/?docsetId=gracclug&docsetTarget=n0pzarftj3csiin14f5sdr42othm.htm&docsetVersion=1.0&locale=en
http://www.w3.org/2000/svg	http://www.garmin.com/xmlschemas/GpxExtensions/v3
http://www.garmin.com/xmlschemas/ActivityExtension/v2	http://www.apache.org/licenses/
http://www.apache.org/licenses/LICENSE-2.0	http://sww.sas.com/cgi-bin/quick_browse?defectid=S1400543
http://json-schema.org/draft-04/schema#	https://stackoverflow.com/questions/4766201/javascript-invert-color-on-all-elements-of-a-page
http://sww.sas.com/saspedia/Business_Intelligence_Report_Definition_Graph_Localization_Overrides	http://sww.sas.com/saspedia/Result_
http://support.sas.com	http://support.sas.com/training
http://www.sas.com	https://github.com/requirejs/requirejs/blob/master/LICENSE
http://requirejs.org/docs/errors.html#	http://dev.jquery.com/ticket/2709
http://www.w3.org/1999/xhtml	https://connect.microsoft.com/IE/feedback/details/648057/script-onload-event-is-not-fired-immediately-after-script-execution
https://github.com/requirejs/requirejs/issues/187	https://github.com/requirejs/requirejs/issues/273
https://webkit.org/b/153317	http://perseus.openstack.sas.com/published/latest/docs/NVStylePrefs.html
http://perseus.openstack.sas.com/published/latest/docs/NVBehaviorPrefs.html	http://perseus.openstack.sas.com/published/latest/docs/NVMap.html
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Destructuring_assignment	https://clients2.google.com/service/update2/crx
https://github.com/josdejong/mathjs	https://github.com/josdejong/mathjs/pull/346#issuecomment-97659042
https://github.com/josdejong/mathjs/pull/346#issuecomment-97658658	https://github.com/josdejong/mathjs/pull/346#issuecomment-97477571

Page 1 of 3

Raw Manifest

{
  "name": "SAS Graphics Accelerator",
  "icons": {
    "32": "icon_32.png",
    "48": "icon_48.png",
    "128": "icon_128.png"
  },
  "action": {
    "default_icon": "icon_32.png",
    "default_popup": "popup.html",
    "default_title": "SAS Graphics Accelerator"
  },
  "version": "5.12.2.01223",
  "background": {
    "service_worker": "background.js"
  },
  "options_ui": {
    "page": "options.html",
    "open_in_tab": true
  },
  "short_name": "Accelerator",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Enables users with visual impairments or blindness to create, explore, and share data visualizations.",
  "permissions": [
    "activeTab",
    "storage",
    "unlimitedStorage",
    "downloads",
    "webNavigation"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "content.js"
      ],
      "matches": [
        "file:///*",
        "<all_urls>"
      ],
      "all_frames": true,
      "match_about_blank": true
    },
    {
      "js": [
        "content_google_mymaps.js"
      ],
      "matches": [
        "https://*/maps/d/edit?*",
        "https://*/maps/d/viewer?*",
        "https://*/maps/d/u/*/edit?*",
        "https://*/maps/d/u/*/viewer?*"
      ],
      "all_frames": true
    }
  ],
  "manifest_version": 3,
  "minimum_chrome_version": "88",
  "content_security_policy": {
    "extension_pages": "default-src 'self'; img-src 'self' data:; object-src 'none';frame-ancestors 'none'; style-src 'self' 'unsafe-inline'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "earcon-alert.mp3",
        "invisible-beacon.png",
        "validateIFrame.js"
      ]
    }
  ]
}

by ✦ Astarte

SAS Graphics Accelerator

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (216 total):

Raw Manifest

Detections

Manifest Findings