SAS Graphics Accelerator

Version 5.12.2.01223 View in Chrome Web Store

Last scanned: 2 months ago | force re-scan

Extension Details

Rating: 4.5 ★ (2 ratings)

Users: 2,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors: The extension appears to be from SAS, a reputable analytics company, which adds some credibility. However, the extremely low user count (2,000 users) and minimal rating data (only 2 reviews) provide limited validation of its legitimacy. The name "Graphics Accelerator" suggests it's designed to enhance data visualization capabilities, which aligns with SAS's business focus.

Concerns: The extension requests several concerning permissions that seem excessive for a graphics acceleration tool. The webNavigation permission allows comprehensive tracking of browsing behavior across all websites. The downloads permission enables file downloads and access to download history, which could be misused. Most critically, the broad content script injection capability (<all_urls>) means this extension can execute code on every website you visit, potentially accessing sensitive information like login credentials, personal data, or financial information. The file:/// permission also allows access to local files, which is unusual and potentially dangerous.

Recommendations: Given the high-risk permissions and low adoption rate, consider running this extension in a separate Chrome profile dedicated solely to SAS-related work. Verify the extension's authenticity directly through SAS's official channels before installation. Monitor your browsing behavior and downloads while the extension is active. Consider whether the graphics acceleration benefits justify the extensive permissions requested, and explore alternative solutions with more restrictive permission sets if available.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

High-Risk Permission: downloads

This extension has the downloads permission. Can download files and access download history. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

activeTab
storage
unlimitedStorage
downloads
webNavigation

Content Security Policy:

extension_pages: default-src 'self'; img-src 'self' data:; object-src 'none';frame-ancestors 'none'; style-src 'self' 'unsafe-inline'

Embedded URLs (216 total):

https://chrome.google.com/webstore/detail/sas-graphics-accelerator/ockmipfaiiahknplinepcaogdillgoko	http://support.sas.com/legaldocs/Graphics_Accelerator_Chrome.pdf
https://udger.com/resources/ua-list/os	http://documentation.sas.com/?docsetId=gracclug&docsetVersion=1.0&docsetTarget=titlepage.htm
http://support.sas.com/software/products/graphics-accelerator/samples/index.html	http://support.sas.com/software/products/graphics-accelerator/index.html
https://vega.github.io/schema/vega-lite/	https://developer.mozilla.org/en-US/docs/Web/HTML/Inline_elements#Elements
https://developer.mozilla.org/en-US/docs/Web/Guide/HTML/Content_categories#Phrasing_content	https://bugs.chromium.org/p/chromium/issues/detail?id=1264366
https://bugs.chromium.org/p/chromium/issues/detail?id=1219825	https://www.google.com/maps/d/edit?mid=177rOn_UEHFnxJ89WlLHXekiyL-GQ8Os6&ll=35.780852811744666%2C-78.67375985&z=15
https://www.google.com/maps/d/viewer?mid=177rOn_UEHFnxJ89WlLHXekiyL-GQ8Os6&ll=35.78085281174465%2C-78.67375985&z=15	https://www.google.com/maps/d/kml?mid=177rOn_UEHFnxJ89WlLHXekiyL-GQ8Os6&forcekml=1
https://www.google.com/maps/d/kml?	https://github.com/SheetJS/js-xlsx/issues/705
http://sww.sas.com/cgi-bin/quick_browse?defectid=S1395504	http://sww.sas.com/cgi-bin/quick_browse?defectid=S1408425
http://sww.sas.com/cgi-bin/quick_browse?defectid=S1416360	https://developer.mozilla.org/en-US/docs/Web/API/File
http://www.opensource.org/licenses/mit-license.php	http://code.google.com/p/jquery-json/
http://code.google.com/p/jquery-tsv/	http://support.sas.com/documentation/cdl/en/lrcon/65287/HTML/default/viewer.htm#p18cdcs4v5wd2dn1q0x296d3qek6.htm
https://en.wikipedia.org/wiki/Byte_order_mark	http://sww.sas.com/cgi-bin/quick_browse?defectid=S1408408
https://finance.yahoo.com/quote/	http://sww.sas.com/cgi-bin/quick_browse?defectid=S1414612
http://www.google.com	http://www.sas.com/sasreportmodel/styles
http://adamwdraper.github.com/Numeral-js/	http://www.investopedia.com/terms/b/basispoint.asp
http://stackoverflow.com/questions/3561493/is-there-a-regexp-escape-function-in-javascript	https://stackoverflow.com/q/181348
https://en.wikipedia.org/wiki/ISO_week_date#Calculating_a_date_given_the_year.2C_week_number_and_weekday	http://momentjs.com/guides/#/warnings/define-locale/
https://tools.ietf.org/html/rfc2822#section-3.3	http://momentjs.com/guides/#/warnings/js-date/
https://github.com/moment/moment/issues/1423	http://momentjs.com/guides/#/warnings/min-max/
https://github.com/moment/moment/issues/2978	https://github.com/moment/moment/pull/1871
http://docs.closure-library.googlecode.com/git/closure_goog_date_date.js.source.html	http://momentjs.com/guides/#/warnings/add-inverted-param/
https://nodejs.org/dist/latest/docs/api/util.html#util_custom_inspect_function_on_objects	http://momentjs.com/guides/#/warnings/zone/
http://momentjs.com/guides/#/warnings/dst-shifted/	https://github.com/moment/moment/issues/2166
https://github.com/dordille/moment-isoduration/blob/master/moment.isoduration.js	https://go.documentation.sas.com/?docsetId=gracclug&docsetTarget=n0pzarftj3csiin14f5sdr42othm.htm&docsetVersion=1.0&locale=en
http://www.w3.org/2000/svg	http://www.garmin.com/xmlschemas/GpxExtensions/v3
http://www.garmin.com/xmlschemas/ActivityExtension/v2	http://www.apache.org/licenses/
http://www.apache.org/licenses/LICENSE-2.0	http://sww.sas.com/cgi-bin/quick_browse?defectid=S1400543
http://json-schema.org/draft-04/schema#	https://stackoverflow.com/questions/4766201/javascript-invert-color-on-all-elements-of-a-page
http://sww.sas.com/saspedia/Business_Intelligence_Report_Definition_Graph_Localization_Overrides	http://sww.sas.com/saspedia/Result_
http://support.sas.com	http://support.sas.com/training
http://www.sas.com	https://github.com/requirejs/requirejs/blob/master/LICENSE
http://requirejs.org/docs/errors.html#	http://dev.jquery.com/ticket/2709
http://www.w3.org/1999/xhtml	https://connect.microsoft.com/IE/feedback/details/648057/script-onload-event-is-not-fired-immediately-after-script-execution
https://github.com/requirejs/requirejs/issues/187	https://github.com/requirejs/requirejs/issues/273
https://webkit.org/b/153317	http://perseus.openstack.sas.com/published/latest/docs/NVStylePrefs.html
http://perseus.openstack.sas.com/published/latest/docs/NVBehaviorPrefs.html	http://perseus.openstack.sas.com/published/latest/docs/NVMap.html
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Destructuring_assignment	https://clients2.google.com/service/update2/crx
https://github.com/josdejong/mathjs	https://github.com/josdejong/mathjs/pull/346#issuecomment-97659042
https://github.com/josdejong/mathjs/pull/346#issuecomment-97658658	https://github.com/josdejong/mathjs/pull/346#issuecomment-97477571

Page 1 of 3

Raw Manifest

{
  "name": "SAS Graphics Accelerator",
  "icons": {
    "32": "icon_32.png",
    "48": "icon_48.png",
    "128": "icon_128.png"
  },
  "action": {
    "default_icon": "icon_32.png",
    "default_popup": "popup.html",
    "default_title": "SAS Graphics Accelerator"
  },
  "version": "5.12.2.01223",
  "background": {
    "service_worker": "background.js"
  },
  "options_ui": {
    "page": "options.html",
    "open_in_tab": true
  },
  "short_name": "Accelerator",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Enables users with visual impairments or blindness to create, explore, and share data visualizations.",
  "permissions": [
    "activeTab",
    "storage",
    "unlimitedStorage",
    "downloads",
    "webNavigation"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "content.js"
      ],
      "matches": [
        "file:///*",
        "<all_urls>"
      ],
      "all_frames": true,
      "match_about_blank": true
    },
    {
      "js": [
        "content_google_mymaps.js"
      ],
      "matches": [
        "https://*/maps/d/edit?*",
        "https://*/maps/d/viewer?*",
        "https://*/maps/d/u/*/edit?*",
        "https://*/maps/d/u/*/viewer?*"
      ],
      "all_frames": true
    }
  ],
  "manifest_version": 3,
  "minimum_chrome_version": "88",
  "content_security_policy": {
    "extension_pages": "default-src 'self'; img-src 'self' data:; object-src 'none';frame-ancestors 'none'; style-src 'self' 'unsafe-inline'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "earcon-alert.mp3",
        "invisible-beacon.png",
        "validateIFrame.js"
      ]
    }
  ]
}

by ✦ Astarte

SAS Graphics Accelerator

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (216 total):

Raw Manifest

Detections

Manifest Findings