ESUIT | Un Seen for Facebook™

Version 1.11.5 View in Chrome Web Store

Last scanned: 6 months ago | force re-scan

Extension Details

Developer: esuit.dev

Rating: 4.6 ★ (187 ratings)

Users: 20,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

The extension has a solid user base of 20,000 users with a good rating of 4.6/5 from 187 reviews, indicating general user satisfaction. The developer uses a professional domain (esuit.dev) and the extension serves a specific privacy-focused purpose for Facebook users who want to read messages without triggering read receipts.

Concerns:

The primary concern is the broad host permissions that grant access to Facebook's main domains and Messenger. While these permissions align with the extension's stated functionality, they provide significant access to sensitive social media data including private messages, posts, and personal information. The scripting permission allows code execution on these platforms, and the storage permission enables data retention locally. The declarativeNetRequest permission could potentially modify network requests to Facebook services.

The combination of these permissions creates a powerful capability set that, while necessary for the extension's functionality, could be misused to collect private communications, personal data, or browsing patterns on Facebook platforms.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to Facebook use to limit potential data exposure from other browsing activities. Regularly review the extension's behavior and updates. If you frequently use Facebook for sensitive communications or business purposes, evaluate whether the privacy benefit of unseen message reading outweighs the security risks of granting such broad access to your social media data.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Access to Sensitive Domains

This extension requests access to sensitive domains: https://www.facebook.com/*, https://web.facebook.com/*. Ensure you trust this extension with access to these sites.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

scripting
storage
declarativeNetRequest

Host Permissions:

https://www.facebook.com/*
https://web.facebook.com/*
https://www.messenger.com/*

Embedded URLs (24 total):

https://clients2.google.com/service/update2/crx	https://www.facebook.com/
https://web.facebook.com/	https://www.messenger.com/
https://esuit.dev/.	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/2000/svg	http://www.w3.org/1998/Math/MathML
http://www.w3.org/1999/xhtml	http://jedwatson.github.io/classnames
https://esuit.dev/RedirectingToFBPage.html	https://static-data.esuit.dev/index.json
https://stats.esuit.dev/index.json	https://esuit.dev/
https://esuit.dev/extensions/	https://chromewebstore.google.com/detail/esuit-un-seen-for-faceboo/fgmiepijfchkhchobiopcemoajoedkkm
https://esuit.dev	https://esuit.dev/login?
https://getusersubscription-57pphaecyq-uc.a.run.app/?token=	https://esuit.dev/pricing/
https://esuit.dev/dashboard	https://esuit-dev-sentry-6b0d6.web.app/api/sentry

Raw Manifest

{
  "name": "__MSG_name__",
  "icons": {
    "16": "src/assets/logo/favicon-16.png",
    "19": "src/assets/logo/favicon-19.png",
    "32": "src/assets/logo/favicon-32.png",
    "38": "src/assets/logo/favicon-38.png",
    "48": "src/assets/logo/favicon-48.png",
    "128": "src/assets/logo/favicon-128.png"
  },
  "action": {
    "default_icon": "src/assets/logo/favicon-128.png",
    "default_popup": "src/pages/popup/index.html"
  },
  "author": {
    "name": "William Chen",
    "email": "fbesuit@gmail.com"
  },
  "version": "1.11.5",
  "incognito": "not_allowed",
  "background": {
    "type": "module",
    "service_worker": "service-worker-loader.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_description__",
  "permissions": [
    "scripting",
    "storage",
    "declarativeNetRequest"
  ],
  "version_name": "1.11.5",
  "default_locale": "en",
  "host_permissions": [
    "https://www.facebook.com/*",
    "https://web.facebook.com/*",
    "https://www.messenger.com/*"
  ],
  "manifest_version": 3,
  "minimum_chrome_version": "103",
  "web_accessible_resources": [
    {
      "matches": [
        "https://web.facebook.com/*",
        "https://www.facebook.com/*",
        "https://www.messenger.com/*"
      ],
      "resources": [
        "*"
      ],
      "use_dynamic_url": false
    }
  ]
}

by ✦ Astarte

ESUIT | Un Seen for Facebook™

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (24 total):

Raw Manifest

Detections

Manifest Findings