[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Starting analysis...

Surf Security 5

Version 1.4.118 View in Chrome Web Store

Last scanned: 3 months ago | force re-scan

Extension Details

Rating: 3.0 ★

Users: 2,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors: This extension has several concerning trust indicators. With only 2,000 users and a low 3.0 rating, it lacks widespread adoption and user confidence. The generic name "Surf Security 5" with no clear developer information raises authenticity concerns. The absence of detailed description makes it difficult to verify legitimate security purposes.

Concerns: The permission set is extremely invasive for any extension, especially one with questionable credentials. The combination of proxy control, identity access, cookie manipulation, and management permissions creates a perfect storm for malicious activity. The extension can intercept all web traffic through proxy settings, steal authentication cookies, access personal identity information, and even manage other extensions. The broad host permissions across all websites amplify these risks significantly. The system.cpu permission adds another layer of concern, potentially enabling resource-intensive operations. The nativeMessaging permission suggests communication with external applications, which could facilitate data exfiltration.

Recommendations: Do not install this extension under any circumstances given the critical risk level and lack of trustworthy developer information. If security functionality is needed, choose well-established alternatives from reputable companies with transparent privacy policies and strong user bases. The permission combination suggests potential malware rather than legitimate security software. Consider reporting this extension to Chrome Web Store for review.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: downloads

This extension has the downloads permission. Can download files and access download history. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: identity

This extension has the identity permission. Can access your identity information. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: management

This extension has the management permission. Can manage other extensions. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: proxy

This extension has the proxy permission. Can control proxy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: notifications

This extension has the notifications permission. Can show notifications.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

system.cpu
scripting
storage
activeTab
tabs
alarms
declarativeNetRequest
webNavigation
management
downloads
cookies
idle
proxy
notifications
identity
identity.email
nativeMessaging

Host Permissions:

<all_urls>
*://*/*

Content Security Policy:

extension_pages: script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self'; object-src 'self'; frame-src 'none';

Embedded URLs (91 total):

https://github.com/hodgef/simple-keyboard	https://github.com/hodgef
https://fonts.googleapis.com/css2?family=Open+Sans:wght@400	https://fonts.googleapis.com/css2?family=Roboto:ital
https://myaccount.google.com	https://backend-surf-1.surf-admin.link
https://safebrowsing.googleapis.com/v4/threatMatches:find	https://surf-admin-1.surf-admin.link
https://onboarding.surf-admin.link	https://www.surf.security
http://surf-assets.s3-website.eu-west-2.amazonaws.com	https://lcjlelbjbachjjkpjjlcikldffninona.chromiumapp.org
https://hooks.slack.com/services/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	https://data-transfer-1.surf-admin.link
https://6bbccwsqx4iu6irvgdnbwg7f5i0fpvvt.lambda-url.eu-west-2.on.aws/	https://c4wrrcyhalk73hpj23w6ski2l40qdrch.lambda-url.eu-west-2.on.aws/
https://www.virustotal.com/ui/files	https://drive.google.com/drive/my-drive
https://docs.google.com	https://docs.google.com/spreadsheets
https://lucid.app	https://onedrive.live.com/edit.aspx
https://excel.officeapps.live.com	https://powerpoint.officeapps.live.com
https://web.whatsapp.com	https://www.cloudflare.com/cdn-cgi/trace
https://ipv4.lafibre.info/ip.php	https://nuwted7pcd.execute-api.eu-west-2.amazonaws.com/prod/use-lambda-login/policies?clientId=
https://dev-client-backend.portal-surf-security.link	https://surf-dev.portal-surf-security.link
https://xdsmstklr7rgh3gwz2vezcqyoq0yrvkx.lambda-url.eu-west-2.on.aws/	https://7xfpkp3wnzvtufeq52xyu2hr4i0jngra.lambda-url.eu-west-2.on.aws/
https://surf-dev.portal-surf-security.link/lp_login.html	https://surf-dev.portal-surf-security.link/file.html
https://onboarding-dev.portal-surf-security.link	https://data-transfer-dev.portal-surf-security.link
https://surf-admin-1.surf-admin.link/lp_login.html	https://surf-admin-1.surf-admin.link/file.html
https://backend.portal-surf-security.link	https://admin.portal-surf-security.link
https://k4hhwh5mrkgjx5f7r42efe4wwa0devrw.lambda-url.eu-west-2.on.aws/	https://r5pxpvohtigoiqaf5nunoj5g2m0zkriz.lambda-url.eu-west-2.on.aws/
https://admin.portal-surf-security.link/lp_login.html	https://backend.portal-surf-security.link/file.html
https://onboarding-staging.portal-surf-security.link	https://data-transfer-staging.portal-surf-security.link
https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.	http://www.w3.org/2000/svg
https://accounts.google.com	https://raw.githubusercontent.com/PeterDaveHello/url-shorteners/master/list
https://api.metadefender.com/v4/hash/	https://tinyurl.com/y2uuvskb
http://bit.ly/2kdckMn	https://bit.ly/3cXEKWf
https://redux.js.org/Errors?code=	https://webpack.js.org/configuration/resolve/#resolvemainfields
https://github.com/rollup/@rollup/plugin-node-resolve	https://firebaseinstallations.googleapis.com/v1
https://fcmregistrations.googleapis.com/v1	https://chromewebstore.google.com/detail/
https://chrome.google.com/webstore/detail/	https://microsoftedge.microsoft.com/addons/detail/
https://fonts.googleapis.com/css?family=	https://nuwted7pcd.execute-api.eu-west-2.amazonaws.com/prod/use-lambda-login/
https://nuwted7pcd.execute-api.eu-west-2.amazonaws.com/prod/use-lambda-login/dpc-and-login-config/	https://bugs.webkit.org/show_bug.cgi?id=68196
https://mui.com/production-error/?code=	http://www.w3.org/1998/Math/MathML
http://www.w3.org/1999/xhtml	https://stuk.github.io/jszip/documentation/howto/read_zip.html
http://fb.me/use-check-prop-types	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
https://github.com/zloirock/core-js/blob/v3.31.0/LICENSE	https://github.com/zloirock/core-js
https://reactjs.org/link/react-polyfills	https://accounts.google.com/
https://fonts.googleapis.com	https://clients2.google.com/service/update2/crx

Page 1 of 2

Raw Manifest

{
  "name": "__MSG_extName__",
  "icons": {
    "16": "assets/icon_16.png",
    "48": "assets/icon_48.png",
    "128": "assets/icon_128.png"
  },
  "action": {
    "default_icon": "assets/disconnected_128x128.png",
    "default_popup": "Popup.html",
    "default_title": "__MSG_extName__"
  },
  "version": "1.4.118",
  "background": {
    "service_worker": "js/Background.bundle.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_extDesc__",
  "permissions": [
    "system.cpu",
    "scripting",
    "storage",
    "activeTab",
    "tabs",
    "alarms",
    "declarativeNetRequest",
    "webNavigation",
    "management",
    "downloads",
    "cookies",
    "idle",
    "proxy",
    "notifications",
    "identity",
    "identity.email",
    "nativeMessaging"
  ],
  "default_locale": "en",
  "host_permissions": [
    "<all_urls>",
    "*://*/*"
  ],
  "manifest_version": 3,
  "externally_connectable": {
    "ids": [
      "*"
    ],
    "matches": [
      "*://*.portal-surf-security.link/*",
      "*://*.admin.surf-admin.link/*"
    ]
  },
  "minimum_chrome_version": "107",
  "content_security_policy": {
    "extension_pages": "script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self'; object-src 'self'; frame-src 'none';"
  },
  "declarative_net_request": {
    "rule_resources": [
      {
        "id": "ruleset_1",
        "path": "assets/rules.json",
        "enabled": false
      }
    ]
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "*.png",
        "*.js",
        "*.css",
        "*.scss",
        "*.html",
        "*.json",
        "*.svg"
      ],
      "extension_ids": []
    }
  ]
}

by ✦ Astarte

Surf Security 5

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (91 total):

Raw Manifest

Detections

Manifest Findings