[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Vue force dev

Version 2.1.1 View in Chrome Web Store

Last scanned: about 4 hours ago

Extension Details

Rating: 4.5 ★ (37 ratings)

Users: 10,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a decent user base of 10,000 users and maintains a solid 4.5-star rating from 37 reviews, suggesting users find it functional. However, the lack of visible developer information and company details raises transparency concerns. The name "Vue force dev" suggests it's a development tool for Vue.js applications, which would typically require broad access to function properly.

Concerns:

The extension's broad permissions are extremely concerning given the limited context. The <all_urls> host permissions combined with content script injection capabilities across all websites creates a significant attack surface. For a Vue.js development tool, these permissions might be necessary for debugging and inspecting Vue applications across different domains, but they also enable the extension to access sensitive data on banking sites, email platforms, and other confidential web applications. The absence of clear developer identification makes it difficult to verify the extension's legitimacy and trustworthiness.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to development work only. Avoid using this profile for personal browsing, banking, or accessing sensitive websites. Regularly review the extension's behavior and consider alternatives with more limited permissions if available. If you're not actively developing Vue.js applications, this extension's broad access is unnecessary and should be removed. Monitor for any unusual network activity or website behavior when the extension is active.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

Raw Manifest

{
  "name": "Vue force dev",
  "icons": {
    "16": "icons/16.png",
    "48": "icons/48.png",
    "128": "icons/128.png"
  },
  "action": {
    "default_icon": {
      "16": "icons/16-gray.png",
      "48": "icons/48-gray.png",
      "128": "icons/128-gray.png"
    },
    "default_popup": "popups/not-found.html",
    "default_title": "Vue force dev"
  },
  "version": "2.1.1",
  "background": {
    "scripts": [
      "background.js"
    ],
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "A tool forces vue to run in development",
  "content_scripts": [
    {
      "js": [
        "detector.js"
      ],
      "run_at": "document_start",
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "detectorExec.js"
      ],
      "extension_ids": []
    }
  ]
}

by ✦ Astarte

https://github.com/hzmming/vue-force-dev/issues	https://vuejs.org/error-reference/#runtime-
https://stackoverflow.com/q/3277182/1008999	https://www.whatismybrowser.com/guides/the-latest-user-agent/macos
https://pinia.vuejs.org/logo.svg	https://pinia.vuejs.org
https://devtools.vuejs.org/guide/installation.html.	https://github.com/tc39/proposal-async-context
https://clients2.google.com/service/update2/crx

Vue force dev

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Host Permissions:

Embedded URLs (9 total):

Raw Manifest

Detections

Manifest Findings