Alby - Bitcoin Wallet for Lightning & Nostr
Version 3.11.0 View in Chrome Web Store
Last scanned: 2 days ago
| force re-scan
Extension Details
Developer:
getalby.com
Rating:
4.3 ★
(64 ratings)
Size:
6.86MiB
Last Updated:
January 28, 2025
Users:
80,000
Developer Info:
Alby Inc.8 The Grn Ste A
Dover, DE 19901
US
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
HIGH
Risk Level
Trust Factors:
- The extension is developed by a registered company (Alby Inc.) which adds some legitimacy.
- It has a decent number of users (80,000) and a relatively good rating (4.3/5), suggesting it is popular and well-received.
- However, the description is vague and does not provide much context about the extension's functionality.
Concerns:
- The extension requests very broad permissions, including the ability to access all websites (*://*/*), inject scripts into any website, and read/modify browser tabs. These permissions go far beyond what would be expected for a Bitcoin wallet extension.
- The "unlimitedStorage" permission allows the extension to store an unlimited amount of data locally, which could be a privacy concern.
- The Content Security Policy allows "wasm-unsafe-eval", permitting potentially unsafe WebAssembly code execution.
Recommendations:
- Exercise extreme caution when installing this extension, as the broad permissions and capabilities could potentially be exploited for malicious purposes.
- If you decide to use this extension, consider running it in a separate browser profile or a sandboxed environment to isolate it from your main browsing activity.
- Closely monitor the extension's behavior and network activity for any suspicious activity.
- Regularly check for updates from the developer and uninstall the extension if it becomes outdated or if any security vulnerabilities are reported.
Security Analysis
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
CRITICAL
Overall Risk
Based on 7 total findings, ranked without considering overall context, including 4 high-risk and 3 medium-risk findings.
HIGH
Broad Content Script Injection
This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
HIGH
High-Risk Permission: tabs
This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.
HIGH
Unsafe WebAssembly Execution
This extension's Content Security Policy allows 'wasm-unsafe-eval', which permits potentially dangerous WebAssembly code execution. This could be used to hide malicious code or perform CPU-intensive operations.
MEDIUM
Medium-Risk Permission: notifications
This extension has the notifications permission. Can show notifications.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
MEDIUM
Medium-Risk Permission: unlimitedStorage
This extension has the unlimitedStorage permission. Can store unlimited data locally.
Security Analysis Details
Required Permissions:
- nativeMessaging
- notifications
- scripting
- storage
- tabs
- unlimitedStorage
Host Permissions:
- *://*/*
Content Security Policy:
- extension_pages: script-src 'self' 'wasm-unsafe-eval'; object-src 'self'
Embedded URLs (103 total):
| http://www.w3.org/2000/svg | http://fb.me/use-check-prop-types | |
| https://reactjs.org/docs/error-decoder.html?invariant= | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xhtml | https://fb.me/react-async-component-lifecycle-hooks | |
| https://vas-btc-pay.org/lnd-config/212121/lnd.config | https://din-btc-pay.org/lnd-config/212121/lnd.config | |
| https://your-btc-pay.org/lnd-config/212121/lnd.co | https://your-btc-pay.org/lnd-config/212121/lnd.config | |
| https://deine-node.m.voltageapp.io:8080 | https://your-node.m.voltageapp.io:8080 | |
| https://su-btc-pay.org/lnd-config/212121/lnd.config | https://votre-btc-payer.org/lnd-config/212121/lnd.config | |
| https://twoj-btc-pay.org/lnd-config/212121/lnd.config | https://seu-btc-pay.org/lnd-config/212121/lnd.config | |
| https://getalby.com/user | https://feedback.getalby.com | |
| https://guides.getalby.com/user-guide/v/alby-account-and-browser-extension/ | https://getalby.com/lightning_addresses | |
| https://zeusln.app | https://bluewallet.io | |
| https://guides.getalby.com/user-guide/v/alby-account-and-browser-extension/alby-browser-extension/migrate-from-old-lndhub-setup | https://getalby.com/node/embrace_albyhub | |
| https://guides.getalby.com/user-guide/alby-account-and-browser-extension/alby-account/faqs-alby-account/what-are-fee-credits-in-my-alby-account | https://getalby.com/discover | |
| https://github.com/mebjas/html5-qrcode | https://scanapp.org | |
| https://github.com/mebjas/html5-qrcode/issues | https://hosted.weblate.org/projects/getalby-lightning-browser-extension/getalby-lightning-browser-extension/ | |
| https://getalby.com/install/companion/ | https://guides.getalby.com/user-guide/v/alby-account-and-browser-extension/alby-browser-extension/connect-lightning-wallets-and-nodes-to-the-alby-extension | |
| https://runcitadel.space/ | https://cdn.getalby-assets.com/connector-guides/citadel.png | |
| https://github.com/ACINQ/eclair | https://www.blink.sv/ | |
| https://api.blink.sv/graphql | https://bitcoinjungle.app/ | |
| https://api.mainnet.bitcoinjungle.app/graphql | https://dashboard.blink.sv | |
| https://gist.github.com/ | https://api.lawallet.ar | |
| https://lawallet.ar | https://legend.lnbits.com | |
| https://lnbits.com/ | https://cdn.getalby-assets.com/connector-guides/lnc.png | |
| https://mynodebtc.com/ | https://cdn.getalby-assets.com/connector-guides/in_extension_guide_mynode.mp4 | |
| https://raspiblitz.org/ | https://cdn.getalby-assets.com/connector-guides/in_extension_guide_raspiblitz.mp4 | |
| https://start9.com/ | https://umbrel.com/ | |
| https://cdn.getalby-assets.com/connector-guides/umbrel.png | https://nwc.getalby.com | |
| https://apps.umbrel.com/app/alby-nostr-wallet-connect | https://www.mutinywallet.com | |
| https://www.getalby.com/voltage | https://getalby.com/settings/nostr | |
| https://getalby.com/onchain_addresses | https://deezy.io | |
| https://mempool.space/address/ | https://boltz.exchange/ | |
| https://swap.deezy.io/ | https://sideshift.ai/ln/btc | |
| https://feross.org | https://feross.org/opensource | |
| http://www.xarg.org/2014/03/javascript-bit-array/ | https://guides.getalby.com/user-guide/v/alby-account-and-browser-extension/alby-browser-extension/features/liquid | |
| https://guides.getalby.com/user-guide/v/alby-account-and-browser-extension/alby-browser-extension/features/hold-payments | http://jqueryui.com | |
| http://jquery.org/license | http://api.jqueryui.com/category/ui-core/ | |
| https://developer.mozilla.org/en-US/docs/Web/API/Event/composedPath | https://github.com/lnurl/luds/blob/luds/17.md | |
| https://geyser.fund/logo-brand.svg | https://api.mixcloud.com/ | |
| https://soundcloud.com | https://api.stackexchange.com/2.2/questions/ |
Page 1 of 2
Raw Manifest
{ "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAludn9UxTx8rcLh5LfGjqd9/W+yDDlz1h9GlrrUCzyZouU3tQ3BkXgRNWZVqWUwalvR6DUin2ECu/QTMipsl5fZg36U9HCL6sMOP0MwfDzOPWTQnaKj0AGLvWloFOD7qmIFT+HOlVBcXVCxCbx85LMsHh8mbh5u5mTPBLXKjxSAx5pvGsCHKJ/45zkRxxiF4GorbxAOBEYPUC6m3UpPOLgVQUPYJrQF7mvAgKl/1pd68sdvSc3ragsFNw8IK5/fK1oD6ZV/n1uvpFrlqHF7Ed+OE3eAVkdCSxxiTJnwMfS4duE4QOLfP2cYeriZKBtdkgdQUVrY+Y++R3C85Cdhdz6wIDAQAB", "name": "Alby - Bitcoin Wallet for Lightning & Nostr", "icons": { "16": "assets/icons/alby_icon_yellow_16x16.png", "32": "assets/icons/alby_icon_yellow_32x32.png", "48": "assets/icons/alby_icon_yellow_48x48.png", "128": "assets/icons/alby_icon_yellow_128x128.png" }, "action": { "theme_icons": [ { "dark": "assets/icons/alby_icon_yellow_16x16.png", "size": 16, "light": "assets/icons/alby_icon_yellow_dark_16x16.png" }, { "dark": "assets/icons/alby_icon_yellow_32x32.png", "size": 32, "light": "assets/icons/alby_icon_yellow_dark_32x32.png" }, { "dark": "assets/icons/alby_icon_yellow_48x48.png", "size": 48, "light": "assets/icons/alby_icon_yellow_dark_48x48.png" }, { "dark": "assets/icons/alby_icon_yellow_128x128.png", "size": 128, "light": "assets/icons/alby_icon_yellow_dark_128x128.png" } ], "default_icon": { "16": "assets/icons/alby_icon_yellow_16x16.png", "32": "assets/icons/alby_icon_yellow_32x32.png", "48": "assets/icons/alby_icon_yellow_48x48.png", "128": "assets/icons/alby_icon_yellow_128x128.png" }, "default_popup": "popup.html", "default_title": "Alby - Bitcoin Wallet for Lightning & Nostr" }, "author": "Alby", "version": "3.11.0", "commands": { "_execute_action": { "suggested_key": { "default": "Alt+Shift+A" } } }, "background": { "service_worker": "js/background.bundle.js" }, "options_ui": { "page": "options.html", "open_in_tab": true }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Your Bitcoin Lightning wallet and companion for accessing Bitcoin and Nostr apps, digital payments and passwordless logins.", "permissions": [ "nativeMessaging", "notifications", "scripting", "storage", "tabs", "unlimitedStorage" ], "homepage_url": "https://getAlby.com/", "content_scripts": [ { "js": [ "js/contentScriptOnStart.bundle.js", "js/contentScriptWebLN.bundle.js", "js/contentScriptAlby.bundle.js", "js/contentScriptLiquid.bundle.js", "js/contentScriptNostr.bundle.js", "js/contentScriptWebBTC.bundle.js" ], "run_at": "document_start", "matches": [ "*://*/*" ], "all_frames": true } ], "host_permissions": [ "*://*/*" ], "manifest_version": 3, "minimum_chrome_version": "88", "content_security_policy": { "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self'" } }
Secure Annex (beta)
Coming soon...