[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Dino Rush

Version 1.0.2 View in Chrome Web Store

Last scanned: 4 days ago | force re-scan

Extension Details

Rating: 5.0 ★ (5 ratings)

Users: 20,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors: The extension has significant trust concerns. With only 20,000 users and just 5 ratings (despite a perfect 5.0 score), the user base is relatively small and the rating sample size is insufficient for reliable assessment. The lack of developer information and missing last updated date raises transparency concerns. The generic name "Dino Rush" suggests it may be a simple game, but the extensive permissions contradict this assumption.

Concerns: The extension requests extremely broad permissions that are completely unnecessary for a game application. The <all_urls> host permissions and content script injection capabilities allow it to access and modify any website you visit, which is a massive overreach for what appears to be an entertainment extension. The storage permission, while less concerning individually, combined with the broad access rights creates potential for extensive data collection. The scripting and alarms permissions further expand its capabilities beyond what a simple game would require.

Recommendations: Given the high risk level, avoid installing this extension on your primary browser profile. If you must use it, create a separate Chrome profile specifically for this extension to isolate potential security risks. Consider looking for alternative game extensions with more appropriate permission requests. The broad permissions suggest this extension may have hidden functionality beyond gaming, so exercise extreme caution. Monitor your browsing behavior and accounts for any unusual activity if you choose to proceed.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "__MSG_extName__",
  "icons": {
    "16": "icons/icon-16.png",
    "48": "icons/icon-48.png",
    "128": "icons/icon-128.png",
    "300": "icons/icon-300.png"
  },
  "action": {
    "default_title": "__MSG_extName__",
    "chrome_url_overrides": {
      "newtab": "popup.html"
    }
  },
  "version": "1.0.2",
  "background": {
    "service_worker": "js/background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_extShortDesc__",
  "permissions": [
    "storage",
    "scripting",
    "alarms"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "js/content.js"
      ],
      "run_at": "document_start",
      "matches": [
        "<all_urls>"
      ],
      "all_frames": false,
      "match_about_blank": false
    }
  ],
  "offline_enabled": true,
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "minimum_chrome_version": "88.0",
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "icons/*"
      ],
      "use_dynamic_url": false
    }
  ]
}

by ✦ Astarte

https://www.google-analytics.com/mp/collect	https://www.google-analytics.com/debug/mp/collect
https://github.com/uuidjs/uuid#getrandomvalues-not-supported	https://clients2.google.com/service/update2/crx

Dino Rush

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (4 total):

Raw Manifest

Detections

Manifest Findings