Extension Details
Context-Aware Verdict
The extension has 6 million users, indicating widespread adoption, but the concerning 2.3-star rating from 2,500 reviews suggests significant user dissatisfaction. While this appears to be Apple's official iCloud Passwords extension for Chrome, the poor rating raises questions about functionality and user experience rather than malicious intent.
The extension requests extremely broad permissions that are excessive for a password manager. The privacy permission allows modification of browser privacy settings, which is unnecessary for password autofill functionality. The webNavigation permission enables comprehensive browsing tracking across all websites. Most concerning is the combination of broad host permissions (*://*/*) with content script injection capabilities, allowing the extension to access and potentially modify any website's content. The nativeMessaging permission, while legitimate for communicating with the iCloud Passwords desktop application, adds another attack vector if compromised.
Despite being from Apple, the overly broad permissions present significant privacy and security risks. Consider running this extension in a separate Chrome profile dedicated solely to password management activities. Alternatively, evaluate whether Apple's built-in password management through Safari or dedicated password managers with more restrictive permissions would better serve your needs. If you must use this extension, regularly review your privacy settings and monitor for any unexpected changes to your browsing experience.
Findings
Security Analysis Details
Required Permissions:
- privacy
- declarativeContent
- nativeMessaging
- webNavigation
- storage
- contextMenus
- scripting
Host Permissions:
- *://*/*
Embedded URLs (5 total):
| https://support.apple.com/kb/DL1455 | https://www.apple.com/macos | |
| https://discord.com/channels/@me | https://clients2.google.com/service/update2/crx | |
| http://www.w3.org/2000/svg |
Raw Manifest
{ "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk4xPYZla5XqlDN0PPiLCQAYRqdaR06jSl3sntEE5jHoe7XldFqhsdBSp4L8mozwjCwi6z5YtEpTV1L2k4WYmDuiwoH7YKGlQD/YbC8QMcPvGLWOr8WYfXWtECKv0Nx7Tahk8nCIDWgJVm8YmPIDhPv4o5VVrq6aUveCKvTOskHWFyRzSTC2VKpzIVX7F65UzqqOmqLfMpo6lfaLcKSC7G6oQLA/wS7hcGZEwZ11si6XWR4o/hDuUSt6zdacy/sc7H80eH3lMnEmvb6HoB7+KvxfGIU7dqRmhA/w/X0qkiIJYeoo4tZrNxBj7TTLz9hnHUbMRwJqsoIU+pkoprgFWDQIDAQAB", "name": "__MSG_extName__", "icons": { "16": "images/PasswordsExtensionIcon_16.png", "32": "images/PasswordsExtensionIcon_32.png", "128": "images/PasswordsExtensionIcon_128.png" }, "action": { "default_icon": { "16": "images/PasswordsToolbar_icon16.png", "32": "images/PasswordsToolbar_icon32.png" }, "default_popup": "page_popup.html" }, "version": "3.3.0", "background": { "service_worker": "background.js" }, "options_ui": { "page": "settings.html", "open_in_tab": false }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_extDescription__", "permissions": [ "privacy", "declarativeContent", "nativeMessaging", "webNavigation", "storage", "contextMenus", "scripting" ], "default_locale": "en", "content_scripts": [ { "js": [ "content_script.js" ], "run_at": "document_idle", "matches": [ "*://*/*" ], "all_frames": true } ], "host_permissions": [ "*://*/*" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "completion_list.html" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.