Extension Details
Context-Aware Verdict
The extension has a very small user base of only 1,000 users, which limits community validation. While it maintains a decent 4.7-star rating, this is based on only 9 reviews, making it statistically insignificant. The developer domain "toastlog.com" suggests a logging or debugging tool, which aligns with the extension name. However, the lack of detailed developer information and limited adoption raises trust concerns.
The extension's permission set is extremely broad and concerning for what appears to be a logging utility. The combination of all_urls host permissions with content script injection capabilities creates a powerful surveillance mechanism that could access sensitive data across all websites. The storage permission allows persistent data collection, while activeTab provides additional access vectors. For a logging tool, these permissions seem excessive and could enable credential theft, session hijacking, or comprehensive browsing surveillance.
Given the high-risk profile, avoid installing this extension unless absolutely necessary. If you must use it, create a dedicated Chrome profile isolated from your primary browsing activities, especially banking and sensitive sites. Consider alternative logging tools with more restricted permissions. Monitor your accounts for unusual activity if you've already installed it. The broad permissions combined with low adoption make this extension particularly risky for general use.
Findings
Security Analysis Details
Required Permissions:
- storage
- activeTab
- scripting
Host Permissions:
- <all_urls>
Embedded URLs (19 total):
| https://api.toastlog.com/license/status?key= | https://api.toastlog.com/license/activate | |
| https://fontawesome.com/license/free. | https://creativecommons.org/licenses/by/4.0/ | |
| https://scripts.sil.org/OFL | https://opensource.org/licenses/MIT | |
| https://fontawesome.com | https://fontawesome.com/license/free | |
| http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd | http://www.w3.org/2000/svg | |
| http://www.w3.org/1999/xlink | http://goo.gl/7AJzbL | |
| https://toastlog.com/my-license | https://toastlog.com/contact | |
| https://github.com/apvarun/toastify-js | https://web.dev/vitals/ | |
| https://www.google.com/search?q= | https://clients2.google.com/service/update2/crx | |
| https://toastlog.com |
Raw Manifest
{ "name": "toast.log", "icons": { "96": "icon_96.png", "128": "icon_128.png" }, "action": { "default_icon": "icon.png" }, "version": "2.6.2", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Get console errors right on your page. See logs in a toast notification format and find out bugs you didn't know existed.", "permissions": [ "storage", "activeTab", "scripting" ], "homepage_url": "https://toastlog.com", "content_scripts": [ { "js": [ "initial-console-listener.js" ], "world": "MAIN", "run_at": "document_start", "matches": [ "<all_urls>" ] }, { "js": [ "content-script.js" ], "run_at": "document_start", "matches": [ "<all_urls>" ] } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "main.js", "console-listener.js", "logo.svg", "fontawesome/*", "img/*", "css/*" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.