[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Instant Data Scraper

Version 1.2.1 View in Chrome Web Store

Last scanned: about 6 hours ago

Extension Details

Developer: Flavr Technology, LP

Rating: 4.9 ★ (7K ratings)

Users: 1,000,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has strong user adoption with 1 million users and an excellent 4.9-star rating from 7,000 reviews, indicating generally positive user experiences. Flavr Technology, LP appears to be the developer, though limited information is available about the company's reputation. The high rating suggests the extension functions as intended for most users.

Concerns:

The combination of webRequest permission with broad content script injection creates significant security risks. The webRequest permission allows interception and modification of all web traffic, which could be exploited to steal sensitive data or redirect users to malicious sites. The wildcard content script injection (*://*/*) means this extension can execute code on every website you visit, potentially accessing passwords, financial information, and personal data. For a data scraping tool, these permissions may be functionally necessary but create substantial attack surface.

Recommendations:

Consider running this extension in a dedicated Chrome profile separate from your main browsing activities, especially if you handle sensitive information online. Only activate the extension when actively scraping data, and disable it during regular browsing. Monitor your network traffic and be cautious about scraping from sites containing sensitive information. Given the legitimate use case and positive user feedback, the extension may be trustworthy, but the broad permissions warrant careful usage practices.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

Security Analysis Details

Required Permissions:

webRequest
activeTab

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self'

Embedded URLs (93 total):

http://getbootstrap.com	https://github.com/twbs/bootstrap/blob/master/LICENSE
https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css	https://github.com/twbs/bootstrap/issues/10106
http://getbootstrap.com/getting-started/#third-box-sizing	http://a11yproject.com/posts/how-to-hide-content
http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1	https://developer.mozilla.org/en-US/docs/Web/Events/click#Safari_Mobile
https://github.com/twbs/bootstrap/pull/11526	https://github.com/twbs/bootstrap/issues/4885
https://github.com/twbs/bootstrap/issues/5257	https://github.com/twbs/bootstrap/issues/11660
https://github.com/twbs/bootstrap/issues/11623	https://github.com/twbs/bootstrap/issues/14837
https://github.com/twbs/bootstrap/issues/12359.	https://github.com/twbs/bootstrap/issues/13141
https://github.com/necolas/normalize.css/issues/214	https://github.com/twbs/bootstrap/issues/11655
https://github.com/twbs/bootstrap/issues/11586.	https://bugs.webkit.org/show_bug.cgi?id=139848
https://github.com/twbs/bootstrap/issues/15074.	https://github.com/twbs/bootstrap/pull/3552.
https://github.com/twbs/bootstrap/pull/12794	https://github.com/twbs/bootstrap/pull/14559
https://github.com/twbs/bootstrap/issues/11561#issuecomment-28936855	https://github.com/h5bp/html5-boilerplate/issues/984#issuecomment-3985989
https://github.com/twbs/bootstrap/pull/10951.	https://developer.mozilla.org/en-US/docs/Web/Events/click#Internet_Explorer
http://nicolasgallagher.com/micro-clearfix-hack/	https://github.com/h5bp/html5-boilerplate/commit/aa0396eae757
https://github.com/twbs/bootstrap/issues/10497	http://getbootstrap.com/getting-started/#support-ie10-width
http://timkadlec.com/2013/01/windows-phone-8-and-device-width/	http://timkadlec.com/2012/10/ie10-snap-mode-and-responsive-design/
http://dbushell.com/	http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd
http://www.w3.org/2000/svg	https://eligrey.com
https://github.com/eligrey/FileSaver.js/blob/master/LICENSE.md	http://purl.eligrey.com/github/FileSaver.js/blob/master/src/FileSaver.js
http://www.w3.org/1999/xhtml	https://developer.apple.com/library/safari/documentation/Tools/Conceptual/SafariExtensionGuide/WorkingwithWindowsandTabs/WorkingwithWindowsandTabs.html
https://www.google-analytics.com/mp/collect	https://www.google-analytics.com/debug/mp/collect
https://developers.google.com/analytics/devguides/collection/protocol/ga4/sending-events?client_type=gtag#recommended_parameters_for_reports	https://developers.google.com/analytics/devguides/collection/protocol/ga4/reference?client_type=gtag#reserved_names
https://handsontable.com	http://momentjs.com/guides/#/warnings/define-locale/
http://momentjs.com/guides/#/warnings/js-date/	http://momentjs.com/guides/#/warnings/min-max/
http://momentjs.com/guides/#/warnings/add-inverted-param/	http://momentjs.com/guides/#/warnings/zone/
http://momentjs.com/guides/#/warnings/dst-shifted/	https://tools.ieft.org/html/bcp47
https://docs.handsontable.com/i18n/missing-language-code.	https://github.com/dbushell/Pikaday
https://github.com/Starcounter-Jack/JSON-Patch	http://www.foretagsplatsen.se
http://zeroclipboard.org/	https://github.com/mholt/PapaParse
https://github.com/emn178/js-sha256	http://sheetjs.com
http://purl.org/dc/elements/1.1/	http://purl.org/dc/terms/
http://purl.org/dc/dcmitype/	http://schemas.microsoft.com/office/mac/excel/2008/main
http://schemas.openxmlformats.org/officeDocument/2006/relationships	http://schemas.openxmlformats.org/package/2006/sheetjs/core-properties
http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes	http://www.w3.org/2001/XMLSchema-instance
http://www.w3.org/2001/XMLSchema	http://schemas.openxmlformats.org/spreadsheetml/2006/main
http://purl.oclc.org/ooxml/spreadsheetml/main	http://schemas.microsoft.com/office/excel/2006/main
http://schemas.microsoft.com/office/excel/2006/2	http://schemas.openxmlformats.org/package/2006/content-types
http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument	http://sheetjs.openxmlformats.org/officeDocument/2006/relationships/officeDocument
http://schemas.openxmlformats.org/package/2006/relationships	http://schemas.openxmlformats.org/package/2006/metadata/core-properties

Page 1 of 2

Raw Manifest

{
  "name": "Instant Data Scraper",
  "icons": {
    "16": "pokeball16.png",
    "32": "pokeball32.png",
    "64": "pokeball64.png",
    "128": "pokeball128.png"
  },
  "action": {
    "default_icon": "pokeball64.png"
  },
  "version": "1.2.1",
  "incognito": "split",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Instant Data Scraper extracts data from web pages and exports it as Excel or CSV files",
  "permissions": [
    "webRequest",
    "activeTab"
  ],
  "content_scripts": [
    {
      "js": [
        "js/jquery-3.1.1.min.js",
        "js/sha256.min.js",
        "onload.js"
      ],
      "css": [
        "onload.css"
      ],
      "matches": [
        "*://*/*"
      ]
    }
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'"
  }
}

by ✦ Astarte

Instant Data Scraper

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (93 total):

Raw Manifest

Detections

Manifest Findings