Extension Details
Context-Aware Verdict
The extension appears to be associated with Banco de España (BdE), Spain's central bank, based on the name and content script targeting bde.es domains. However, several trust indicators are missing or concerning: no user count data, no ratings or reviews, missing author information, and no developer details provided. The lack of transparency around the developer identity is particularly notable for a financial institution's extension.
The primary concern is the nativeMessaging permission, which allows the extension to communicate with native applications installed on the user's computer. While this may be necessary for digital signature functionality, it creates a potential security bridge between the browser and the local system. The extension's scope is appropriately limited to BdE domains through content scripts, which is positive for containment.
The absence of user adoption metrics and reviews makes it difficult to assess real-world usage and reliability. For a banking-related extension, this lack of community validation is concerning.
Verify the extension's authenticity directly with Banco de España before installation. Consider running this extension in a separate Chrome profile dedicated to banking activities to isolate any potential risks. Only install if you specifically need to use BdE's digital signature services. Monitor the extension's behavior and remove it immediately after completing necessary banking tasks if you're uncomfortable with the native messaging capability.
Findings
Security Analysis Details
Required Permissions:
- nativeMessaging
Embedded URLs (1 total):
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "BdE eSignature Web Extension", "icons": { "128": "logo.png" }, "author": "Minsait by Indra", "version": "1.3", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Chrome web extension interacting using Native Messaging with Minsait eSignature Desktop Client application.", "permissions": [ "nativeMessaging" ], "content_scripts": [ { "js": [ "content.js" ], "run_at": "document_end", "matches": [ "https://*.bde.es/*" ], "include_globs": [ "*/dcpaute/*", "*/siemain/*" ] } ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "https://*.bde.es/*" ], "resources": [ "eSignatureWebExt.js" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.