BugHerd: Visual Feedback & Bug Tracking Tool
Version 3.0.4825 View in Chrome Web Store
Extension Details
Context-Aware Verdict
BugHerd appears to be a legitimate visual feedback and bug tracking tool from Splitrock Studio Pty Ltd, with 80,000 users and a solid 4.3-star rating. The company has an established presence in the web development tools space, which adds credibility. However, the extension's extensive permissions create significant security exposure despite its legitimate business purpose.
The extension's permission set is extremely broad and concerning. Access to all URLs, tabs, web navigation tracking, and cookie manipulation creates a comprehensive surveillance capability. The ability to inject content scripts into any website means it can read sensitive data, modify page content, or potentially capture credentials across all browsing activity. While these permissions may be necessary for bug tracking functionality, they create substantial privacy and security risks. The declarativeNetRequest permission adds another layer of network-level control that could be misused.
Given the critical risk level, consider running this extension in a completely separate Chrome profile dedicated solely to development work. Only enable it when actively conducting bug tracking or feedback collection activities. Regularly audit what data the extension collects and ensure your organization has proper data handling agreements with Splitrock Studio. Consider alternative bug tracking solutions with more limited permissions if the broad access isn't essential for your workflow. Monitor network activity when the extension is active to ensure it's only communicating with expected BugHerd services.
Findings
Security Analysis Details
Required Permissions:
- tabs
- <all_urls>
- webNavigation
- scripting
- storage
- cookies
- declarativeNetRequest
Host Permissions:
- <all_urls>
Embedded URLs (79 total):
| https://github.com/uuidjs/uuid#getrandomvalues-not-supported | https://notify.bugsnag.com | |
| https://sessions.bugsnag.com | https://tinyurl.com/yy3rn63z | |
| https://github.com/bugsnag/bugsnag-js | http://www.w3.org/2000/svg | |
| http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd | http://www.w3.org/1999/xlink | |
| http://js.pusher.com | https://js.pusher.com | |
| https://pusher.com | https://github.com/pusher/pusher-js/tree/cc491015371a4bde5743d1c87a0fbac0feb53195#encrypted-channel-support | |
| https://bugherd.com/?utm_source=public&utm_medium=widget | https://get.bugherd.com/privacy | |
| https://example.com | https://github.com/ant-design/ant-design/blob/7d0193e9458dae0355599b2d4bf93464993429f8/components/style/core/global.less#L57-L66 | |
| http://fb.me/use-check-prop-types | https://reactjs.org/docs/error-decoder.html?invariant= | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1999/xhtml | |
| http://www.w3.org/1998/Math/MathML | https://reactjs.org/link/react-polyfills | |
| https://github.com/apollographql/invariant-packages | https://go.apollo.dev/c/err# | |
| https://chrome.google.com/webstore/detail/apollo-client-developer-t/jdkknkkbebbapilgoeccciglkfbmbnfm | https://addons.mozilla.org/en-US/firefox/addon/apollo-developer-tools/ | |
| http://dev.apollodata.com/core/fragments.html#unique-names | https://support.bugherd.com/articles/11430643-how-to-enable-your-microphone-or-screen-recording-for-video-feedback | |
| https://player.vimeo.com/video/569258790 | https://support.bugherd.com/articles/11430658-video-feedback-and-mac-os-system-permissions | |
| https://test.com | https://github.com/date-fns/date-fns/blob/master/docs/upgradeGuide.md#string-arguments | |
| https://github.com/date-fns/date-fns/blob/master/docs/unicodeTokens.md | https://bugherd.com | |
| https://view.officeapps.live.com/op/embed.aspx?src= | https://www.google.com.au/intl/en_au/chrome/ | |
| https://chrome.google.com/webstore/detail/bugherd-plus/popigpemobhbfkhnnkllkjgkaabedgpb | https://microsoftedge.microsoft.com/addons/detail/nkdboghnnmoenjjmcakndhjdecakkfpn | |
| https://apps.apple.com/us/app/bugherd-website-feedback-tool/id1545845981 | https://addons.mozilla.org/en-US/firefox/addon/bugherd/ | |
| http://bugherdstatus.com | https://support.bugherd.com/articles/ | |
| https://support.bugherd.com/articles/11430716-why-did-my-screenshot-not-capture-in-bugherd | https://github.com/ | |
| https://slack.com/channels/ | https://zapier.com/zapbook/bugherd | |
| https://support.bugherd.com/articles/11430568-bugherd-and-fullstory-integration | https://support.bugherd.com/articles/11430571-bugherd-and-logrocket-integration | |
| https://platform.harvestapp.com | https://platform.harvestapp.com/platform/timer?app_name=BugHerd&closable=false&chromeless=true&permalink= | |
| https://support.bugherd.com/articles/11430673-how-do-i-re-enable-my-microphone | http://github.com/idleberg | |
| https://github.com/janniks | http://atelierbram.github.io/syntax-highlighting/atelier-schemes/dune | |
| http://atelierbram.github.io/syntax-highlighting/atelier-schemes/forest | http://atelierbram.github.io/syntax-highlighting/atelier-schemes/heath | |
| http://atelierbram.github.io/syntax-highlighting/atelier-schemes/lakeside/ | http://atelierbram.github.io/syntax-highlighting/atelier-schemes/seaside/ | |
| http://github.com/tpoisot | http://chriskempson.com | |
| http://clrs.cc | http://sethawright.com | |
| https://github.com/alexx2/ | http://github.com/alexx2/ | |
| http://www.monokai.nl | http://railscasts.com | |
| http://tybenz.com | http://ethanschoonover.com/solarized | |
| http://cscorley.github.io/ | http://hart-dev.com | |
| https://fb.me/react-async-component-lifecycle-hooks | https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/load_event#syntax | |
| http://code.google.com/chrome/extensions/extension.html#method-sendMessage | https://clients2.google.com/service/update2/crx | |
| https://support.bugherd.com/articles/11430681-why-am-i-seeing-a-no-project-for-this-url-message-in-bugherd | https://support.bugherd.com/articles/11430737-help-the-bugherd-sidebar-isn-t-appearing | |
| https://support.bugherd.com/articles/11430693-why-is-the-bugherd-browser-extension-taking-a-long-time-to-load | https://www.bugherd.com/ | |
| https://bugs.chromium.org/p/chromium/issues/detail?id=1316588#c113 |
Raw Manifest
{ "name": "BugHerd: Visual Feedback & Bug Tracking Tool", "icons": { "16": "icon16.8e586cc9.png", "48": "icon48.0ee8c3d9.png", "128": "icon128.7c750e51.png" }, "action": { "default_icon": { "16": "icon16.8e586cc9.png", "48": "icon48.0ee8c3d9.png", "128": "icon128.7c750e51.png" }, "default_title": "BugHerd" }, "version": "3.0.4825", "background": { "service_worker": "background.dfd523ad.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "BugHerd is a visual feedback and bug tracking tool for websites", "permissions": [ "tabs", "<all_urls>", "webNavigation", "scripting", "storage", "cookies", "declarativeNetRequest" ], "content_scripts": [ { "js": [ "content.474cc8b3.js" ], "css": [], "matches": [ "<all_urls>" ] } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "sidebar_build/073224de6fc6a45b54f1.png", "sidebar_build/19c61c247882054f2014.png", "sidebar_build/3f7ad7e9f23a7f0d1f48.png", "sidebar_build/49ece1ec7a9442cc0dc9.png", "sidebar_build/593d70b304b69e064cbf.png", "sidebar_build/app-images.js", "sidebar_build/app-vendor.js", "sidebar_build/app.js", "sidebar_build/bb80032ed4facd5edd6f.png", "sidebar_build/bcff16f1c647156d8a08.png", "sidebar_build/c562f3e59f705048ba03.png", "sidebar_build/ccf18517f5ee7633b4dc.png", "sidebar_build/eb4dcb14cab035f2666a.png", "sidebar_build/embed.1765504510466.js", "sidebar_build/public.1765504510466.js" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.