[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Url Slideshow

Version 0.5.0 View in Chrome Web Store

Last scanned: about 10 hours ago

Extension Details

Rating: 4.6 ★ (17 ratings)

Users: 20,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

The extension has a solid user base of 20,000 users and maintains a high rating of 4.6 stars from 17 reviews, indicating generally positive user experiences. However, the lack of developer information and missing last updated date raises some transparency concerns. The extension's purpose appears to be creating URL slideshows, which is a legitimate functionality.

Concerns:

The primary concern is the tabs permission, which grants broad access to browser tab information and manipulation capabilities. This level of access seems excessive for a simple slideshow tool and could potentially be misused to monitor browsing activity or redirect users to malicious sites. The contextMenus permission, while less concerning, adds another attack vector. The extension's use of Manifest V2 indicates it hasn't been updated to meet newer security standards, suggesting possible maintenance issues or outdated security practices.

Recommendations:

Consider running this extension in a separate Chrome profile to isolate potential risks from your main browsing environment. Monitor the extension's behavior closely, especially any unexpected tab manipulations or redirects. Look for alternative slideshow extensions that use Manifest V3 and request fewer permissions. If you must use this extension, regularly review your browser's extension permissions and consider disabling it when not actively needed for slideshow creation.

Findings

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Older Manifest Version

This extension uses Manifest Version 2, which has fewer security restrictions than Manifest V3. Consider using extensions that have upgraded to V3.

Raw Manifest

{
  "name": "Url Slideshow",
  "icons": {
    "16": "icons/slideshow-24.png",
    "48": "icons/slideshow-48.png",
    "128": "icons/slideshow-128.png"
  },
  "author": "proddi@splatterladder.com",
  "version": "0.5.0",
  "background": {
    "scripts": [
      "js/SlideShow.js",
      "js/background.js"
    ],
    "persistent": true
  },
  "options_ui": {
    "page": "html/options.html",
    "chrome_style": true
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "permissions": [
    "contextMenus",
    "tabs"
  ],
  "homepage_url": "https://github.com/proddi/urlslideshow",
  "browser_action": {
    "default_icon": {
      "19": "icons/slideshow-24.png",
      "38": "icons/slideshow-48.png"
    },
    "default_title": "Start/Stop the show..."
  },
  "manifest_version": 2
}

by ✦ Astarte

Url Slideshow

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Embedded URLs (4 total):

Raw Manifest

Detections

Manifest Findings

https://clients2.google.com/service/update2/crx	https://github.com/proddi/urlslideshow
http://fully.qualified.domain/url	https://jsfiddle.net/at2h6ob0/