Starting analysis...
Privacy Badger
Version 2024.7.17 View in Chrome Web Store
Last scanned: 10 months ago
| force re-scan
Extension Details
Developer:
www.eff.org
Rating:
4.4 ★
(1.8K ratings)
Size:
1.75MiB
Last Updated:
December 18, 2024
Users:
1,000,000
Developer Info:
Electronic Frontier Foundation815 Eddy St
San Francisco, CA 94109-7701
US
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
LOW
Risk Level
Trust Factors:
- The extension is developed by the reputable non-profit organization Electronic Frontier Foundation (EFF), which advocates for digital privacy and civil liberties. This adds credibility.
- It has over 1 million users and a relatively high rating of 4.4/5 from 1.8K reviews, suggesting it is well-received by users.
- The description indicates it is a privacy tool to block trackers and protect user privacy, aligning with the permissions it requests.
Potential Concerns:
- It requests broad permissions like <all_urls> host permission and ability to inject scripts on any website. While potentially needed for its functionality, this could theoretically be abused.
- Permissions like webRequest, webNavigation, and tabs allow monitoring/modifying browsing activity and tabs.
Recommendations:
- The extension's purpose and developer reputation suggest the permissions are likely used as intended for privacy protection rather than malicious aims.
- However, users very concerned about risk can enable it only for a separate browser profile used for general browsing to limit exposure.
- Periodically review the extension's behavior and uninstall if any suspicious activity is detected.
- As a privacy tool, it necessarily needs broad access, so some trust in the developer is required for functionality.
Security Analysis
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
CRITICAL
Overall Risk
Based on 7 total findings, ranked without considering overall context, including 6 high-risk and 1 medium-risk findings.
HIGH
Broad Content Script Injection
This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
HIGH
High-Risk Permission: privacy
This extension has the privacy permission. Can modify privacy settings. This could potentially be used maliciously to compromise security or privacy.
HIGH
High-Risk Permission: tabs
This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.
HIGH
High-Risk Permission: webNavigation
This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.
HIGH
High-Risk Permission: webRequest
This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
Security Analysis Details
Required Permissions:
- alarms
- declarativeNetRequest
- privacy
- scripting
- storage
- tabs
- webNavigation
- webRequest
Host Permissions:
- <all_urls>
Embedded URLs (853 total):
| https://privacybadger.org/ | http://www.gnu.org/licenses/ | |
| https://www.eff.org/badger-pretraining | https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ | |
| https://www.google.com/intl/en/chrome/privacy/whitepaper.html#netpredict | https://www.google.com/chrome/privacy/archive/20220623/#how-chrome-handles-your-information | |
| https://www.eff.org/deeplinks/2023/09/how-turn-googles-privacy-sandbox-ad-tracking-and-why-you-should | https://www.eff.org/badger-evolution | |
| https://www.eff.org/ | https://privacybadger.org/#faq | |
| https://privacybadger.org/#What-is-a-third-party-tracker | https://supporters.eff.org/donate/support-privacy-badger | |
| https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fprivacybadger.org%2F | https://twitter.com/intent/post?text=I%20just%20installed%20Privacy%20Badger%2C%20a%20browser%20extension%20from%20%40EFF%20that%20automatically%20learns%20to%20block%20invisible%20trackers%20https%3A%2F%2Fprivacybadger.org%2F | |
| https://mastodonshare.com/?text=I%20just%20installed%20Privacy%20Badger%2C%20a%20browser%20extension%20from%20%40eff%40mastodon.social%20that%20automatically%20learns%20to%20block%20invisible%20trackers%20https%3A%2F%2Fprivacybadger.org%2F | https://www.eff.org/code/privacy/policy | |
| https://codepen.io/sosuke/pen/Pjoqqp | http://www.w3.org/2000/svg | |
| http://www.w3.org/1999/xlink | http://www.inkscape.org/ | |
| http://purl.org/dc/elements/1.1/ | http://creativecommons.org/ns# | |
| http://www.w3.org/1999/02/22-rdf-syntax-ns# | http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd | |
| http://www.inkscape.org/namespaces/inkscape | http://purl.org/dc/dcmitype/StillImage | |
| https://github.com/EFForg/privacybadger/blob/master/doc/DESIGN-AND-ROADMAP.md#data-structures | https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ | |
| https://github.com/parshap/node-sanitize-filename/blob/ef1e8ad58e95eb90f8a01f209edf55cd4176e9c8/index.js | https://privacybadger.org/#How-does-Privacy-Badger-work | |
| https://stackoverflow.com/a/22635728 | https://github.com/EFForg/privacybadger/pull/2245#issuecomment-545545717 | |
| https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies | http://www.opensource.org/licenses/mit-license.php | |
| https://github.com/ghostwords/chameleon | https://github.com/EFForg/privacybadger/pull/1522 | |
| https://github.com/EFForg/privacybadger/commit/39d5d0899e22d1c451d429e44553c5f9cad7fc46 | https://privacybadger.org/#How-does-Privacy-Badger-handle-social-media-widgets | |
| https://twitter.com/ | https://github.com/v8/v8/wiki/Stack-Trace-API | |
| https://github.com/csnover/TraceKit/blob/b76ad786f84ed0c94701c83d8963458a8da54d57/tracekit.js#L641 | https://stackoverflow.com/questions/49092423/how-to-break-on-localstorage-changes | |
| https://bugs.chromium.org/p/chromium/issues/detail?id=1207006#c4 | https://rumble.com/embedJS/ | |
| https://rumble.com/embed/ | https://www.google.com/recaptcha/ | |
| https://www.recaptcha.net/recaptcha/ | https://www.youtube.com/iframe_api | |
| https://www.youtube.com/player_api | https://www.youtube.com/embed/ | |
| https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/0ei-UCHNm34/lDaXwQhzBAAJ | https://challenges.cloudflare.com/ | |
| https://cdn.embedly.com/ | https://github.com/w3c/webextensions/issues/57#issuecomment-914491167 | |
| https://github.com/w3c/webextensions/issues/78#issuecomment-921058071 | https://privacybadger.org/#-I-am-an-online-advertising-tracking-company.--How-do-I-stop-Privacy-Badger-from-blocking-me | |
| https://privacybadger.org/#Is-Privacy-Badger-breaking-YouTube | https://privacybadger.org/reporting | |
| https://issues.chromium.org/issues/40825583 | https://crbug.com/1261768 | |
| https://www.eff.org/deeplinks/2023/10/privacy-badger-learns-block-ever-more-trackers | https://github.com/EFForg/privacybadger/issues/2712 | |
| https://www.eff.org/dnt-policy | http://www.html5rocks.com/en/tutorials/file/filesystem/ | |
| https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwn | http://stackoverflow.com/questions/23072815/throttle-javascript-function-calls-but-with-queuing-dont-discard-calls | |
| https://github.com/mathiasbynens/CSS.escape/blob/4b25c283eaf4dd443f44a7096463e973d56dd1b2/css.escape.js | https://mths.be/cssescape | |
| https://drafts.csswg.org/cssom/#escape-a-character-as-code-point | https://drafts.csswg.org/cssom/#escape-a-character | |
| https://stackoverflow.com/questions/5663987/how-to-properly-escape-characters-in-regexp/5664273#5664273 | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions#escaping | |
| https://github.com/hackademix/noscript/blob/a8b35486571933043bb62e90076436dff2a34cd2/src/lib/restricted.js | https://developer.chrome.com/extensions/match_patterns | |
| https://www.eff.org/files/dnt-policies.json | https://www.eff.org/files/cookieblocklist_new.txt | |
| https://www.google.com/url? | https://github.com/mgziminsky/FacebookTrackingRemoval | |
| http://www.bohemiancoding.com/sketch | https://privacybadger.org/#What-about-tracking-by-the-sites-I-actively-visit%2c-like-NYTimes.com-or-Facebook.com |
Page 1 of 11
Raw Manifest
{ "name": "__MSG_name__", "icons": { "16": "icons/badger-16.png", "19": "icons/badger-19.png", "38": "icons/badger-38.png", "48": "icons/badger-48.png", "64": "icons/badger-64.png", "128": "icons/badger-128.png" }, "action": { "default_area": "navbar", "default_icon": { "19": "icons/badger-19-disabled.png", "38": "icons/badger-38-disabled.png" }, "default_popup": "skin/popup.html", "default_title": "__MSG_name__" }, "author": { "email": "eff.software.projects@gmail.com" }, "storage": { "managed_schema": "data/schema.json" }, "version": "2024.7.17", "incognito": "spanning", "background": { "type": "module", "scripts": [ "js/background.js" ], "service_worker": "js/background.js" }, "options_ui": { "page": "/skin/options.html", "open_in_tab": true }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_description__", "permissions": [ "alarms", "declarativeNetRequest", "privacy", "scripting", "storage", "tabs", "webNavigation", "webRequest" ], "default_locale": "en_US", "content_scripts": [ { "js": [ "js/firstparties/lib/utils.js", "js/firstparties/facebook.js" ], "run_at": "document_idle", "matches": [ "https://*.facebook.com/*", "http://*.facebook.com/*", "https://*.messenger.com/*", "http://*.messenger.com/*", "*://*.facebookcorewwwi.onion/*" ] }, { "js": [ "js/firstparties/lib/utils.js", "js/firstparties/google.js" ], "run_at": "document_idle", "matches": [ "https://docs.google.com/*", "http://docs.google.com/*", "https://mail.google.com/*", "http://mail.google.com/*", "https://www.google.com/*", "http://www.google.com/*", "https://www.google.ad/*", "http://www.google.ad/*", "https://www.google.ae/*", "http://www.google.ae/*", "https://www.google.com.af/*", "http://www.google.com.af/*", "https://www.google.com.ag/*", "http://www.google.com.ag/*", "https://www.google.com.ai/*", "http://www.google.com.ai/*", "https://www.google.al/*", "http://www.google.al/*", "https://www.google.am/*", "http://www.google.am/*", "https://www.google.co.ao/*", "http://www.google.co.ao/*", "https://www.google.com.ar/*", "http://www.google.com.ar/*", "https://www.google.as/*", "http://www.google.as/*", "https://www.google.at/*", "http://www.google.at/*", "https://www.google.com.au/*", "http://www.google.com.au/*", "https://www.google.az/*", "http://www.google.az/*", "https://www.google.ba/*", "http://www.google.ba/*", "https://www.google.com.bd/*", "http://www.google.com.bd/*", "https://www.google.be/*", "http://www.google.be/*", "https://www.google.bf/*", "http://www.google.bf/*", "https://www.google.bg/*", "http://www.google.bg/*", "https://www.google.com.bh/*", "http://www.google.com.bh/*", "https://www.google.bi/*", "http://www.google.bi/*", "https://www.google.bj/*", "http://www.google.bj/*", "https://www.google.com.bn/*", "http://www.google.com.bn/*", "https://www.google.com.bo/*", "http://www.google.com.bo/*", "https://www.google.com.br/*", "http://www.google.com.br/*", "https://www.google.bs/*", "http://www.google.bs/*", "https://www.google.bt/*", "http://www.google.bt/*", "https://www.google.co.bw/*", "http://www.google.co.bw/*", "https://www.google.by/*", "http://www.google.by/*", "https://www.google.com.bz/*", "http://www.google.com.bz/*", "https://www.google.ca/*", "http://www.google.ca/*", "https://www.google.cd/*", "http://www.google.cd/*", "https://www.google.cf/*", "http://www.google.cf/*", "https://www.google.cg/*", "http://www.google.cg/*", "https://www.google.ch/*", "http://www.google.ch/*", "https://www.google.ci/*", "http://www.google.ci/*", "https://www.google.co.ck/*", "http://www.google.co.ck/*", "https://www.google.cl/*", "http://www.google.cl/*", "https://www.google.cm/*", "http://www.google.cm/*", "https://www.google.cn/*", "http://www.google.cn/*", "https://www.google.com.co/*", "http://www.google.com.co/*", "https://www.google.co.cr/*", "http://www.google.co.cr/*", "https://www.google.com.cu/*", "http://www.google.com.cu/*", "https://www.google.cv/*", "http://www.google.cv/*", "https://www.google.com.cy/*", "http://www.google.com.cy/*", "https://www.google.cz/*", "http://www.google.cz/*", "https://www.google.de/*", "http://www.google.de/*", "https://www.google.dj/*", "http://www.google.dj/*", "https://www.google.dk/*", "http://www.google.dk/*", "https://www.google.dm/*", "http://www.google.dm/*", "https://www.google.com.do/*", "http://www.google.com.do/*", "https://www.google.dz/*", "http://www.google.dz/*", "https://www.google.com.ec/*", "http://www.google.com.ec/*", "https://www.google.ee/*", "http://www.google.ee/*", "https://www.google.com.eg/*", "http://www.google.com.eg/*", "https://www.google.es/*", "http://www.google.es/*", "https://www.google.com.et/*", "http://www.google.com.et/*", "https://www.google.fi/*", "http://www.google.fi/*", "https://www.google.com.fj/*", "http://www.google.com.fj/*", "https://www.google.fm/*", "http://www.google.fm/*", "https://www.google.fr/*", "http://www.google.fr/*", "https://www.google.ga/*", "http://www.google.ga/*", "https://www.google.ge/*", "http://www.google.ge/*", "https://www.google.gg/*", "http://www.google.gg/*", "https://www.google.com.gh/*", "http://www.google.com.gh/*", "https://www.google.com.gi/*", "http://www.google.com.gi/*", "https://www.google.gl/*", "http://www.google.gl/*", "https://www.google.gm/*", "http://www.google.gm/*", "https://www.google.gr/*", "http://www.google.gr/*", "https://www.google.com.gt/*", "http://www.google.com.gt/*", "https://www.google.gy/*", "http://www.google.gy/*", "https://www.google.com.hk/*", "http://www.google.com.hk/*", "https://www.google.hn/*", "http://www.google.hn/*", "https://www.google.hr/*", "http://www.google.hr/*", "https://www.google.ht/*", "http://www.google.ht/*", "https://www.google.hu/*", "http://www.google.hu/*", "https://www.google.co.id/*", "http://www.google.co.id/*", "https://www.google.ie/*", "http://www.google.ie/*", "https://www.google.co.il/*", "http://www.google.co.il/*", "https://www.google.im/*", "http://www.google.im/*", "https://www.google.co.in/*", "http://www.google.co.in/*", "https://www.google.iq/*", "http://www.google.iq/*", "https://www.google.is/*", "http://www.google.is/*", "https://www.google.it/*", "http://www.google.it/*", "https://www.google.je/*", "http://www.google.je/*", "https://www.google.com.jm/*", "http://www.google.com.jm/*", "https://www.google.jo/*", "http://www.google.jo/*", "https://www.google.co.jp/*", "http://www.google.co.jp/*", "https://www.google.co.ke/*", "http://www.google.co.ke/*", "https://www.google.com.kh/*", "http://www.google.com.kh/*", "https://www.google.ki/*", "http://www.google.ki/*", "https://www.google.kg/*", "http://www.google.kg/*", "https://www.google.co.kr/*", "http://www.google.co.kr/*", "https://www.google.com.kw/*", "http://www.google.com.kw/*", "https://www.google.kz/*", "http://www.google.kz/*", "https://www.google.la/*", "http://www.google.la/*", "https://www.google.com.lb/*", "http://www.google.com.lb/*", "https://www.google.li/*", "http://www.google.li/*", "https://www.google.lk/*", "http://www.google.lk/*", "https://www.google.co.ls/*", "http://www.google.co.ls/*", "https://www.google.lt/*", "http://www.google.lt/*", "https://www.google.lu/*", "http://www.google.lu/*", "https://www.google.lv/*", "http://www.google.lv/*", "https://www.google.com.ly/*", "http://www.google.com.ly/*", "https://www.google.co.ma/*", "http://www.google.co.ma/*", "https://www.google.md/*", "http://www.google.md/*", "https://www.google.me/*", "http://www.google.me/*", "https://www.google.mg/*", "http://www.google.mg/*", "https://www.google.mk/*", "http://www.google.mk/*", "https://www.google.ml/*", "http://www.google.ml/*", "https://www.google.com.mm/*", "http://www.google.com.mm/*", "https://www.google.mn/*", "http://www.google.mn/*", "https://www.google.ms/*", "http://www.google.ms/*", "https://www.google.com.mt/*", "http://www.google.com.mt/*", "https://www.google.mu/*", "http://www.google.mu/*", "https://www.google.mv/*", "http://www.google.mv/*", "https://www.google.mw/*", "http://www.google.mw/*", "https://www.google.com.mx/*", "http://www.google.com.mx/*", "https://www.google.com.my/*", "http://www.google.com.my/*", "https://www.google.co.mz/*", "http://www.google.co.mz/*", "https://www.google.com.na/*", "http://www.google.com.na/*", "https://www.google.com.ng/*", "http://www.google.com.ng/*", "https://www.google.com.ni/*", "http://www.google.com.ni/*", "https://www.google.ne/*", "http://www.google.ne/*", "https://www.google.nl/*", "http://www.google.nl/*", "https://www.google.no/*", "http://www.google.no/*", "https://www.google.com.np/*", "http://www.google.com.np/*", "https://www.google.nr/*", "http://www.google.nr/*", "https://www.google.nu/*", "http://www.google.nu/*", "https://www.google.co.nz/*", "http://www.google.co.nz/*", "https://www.google.com.om/*", "http://www.google.com.om/*", "https://www.google.com.pa/*", "http://www.google.com.pa/*", "https://www.google.com.pe/*", "http://www.google.com.pe/*", "https://www.google.com.pg/*", "http://www.google.com.pg/*", "https://www.google.com.ph/*", "http://www.google.com.ph/*", "https://www.google.com.pk/*", "http://www.google.com.pk/*", "https://www.google.pl/*", "http://www.google.pl/*", "https://www.google.pn/*", "http://www.google.pn/*", "https://www.google.com.pr/*", "http://www.google.com.pr/*", "https://www.google.ps/*", "http://www.google.ps/*", "https://www.google.pt/*", "http://www.google.pt/*", "https://www.google.com.py/*", "http://www.google.com.py/*", "https://www.google.com.qa/*", "http://www.google.com.qa/*", "https://www.google.ro/*", "http://www.google.ro/*", "https://www.google.ru/*", "http://www.google.ru/*", "https://www.google.rw/*", "http://www.google.rw/*", "https://www.google.com.sa/*", "http://www.google.com.sa/*", "https://www.google.com.sb/*", "http://www.google.com.sb/*", "https://www.google.sc/*", "http://www.google.sc/*", "https://www.google.se/*", "http://www.google.se/*", "https://www.google.com.sg/*", "http://www.google.com.sg/*", "https://www.google.sh/*", "http://www.google.sh/*", "https://www.google.si/*", "http://www.google.si/*", "https://www.google.sk/*", "http://www.google.sk/*", "https://www.google.com.sl/*", "http://www.google.com.sl/*", "https://www.google.sn/*", "http://www.google.sn/*", "https://www.google.so/*", "http://www.google.so/*", "https://www.google.sm/*", "http://www.google.sm/*", "https://www.google.sr/*", "http://www.google.sr/*", "https://www.google.st/*", "http://www.google.st/*", "https://www.google.com.sv/*", "http://www.google.com.sv/*", "https://www.google.td/*", "http://www.google.td/*", "https://www.google.tg/*", "http://www.google.tg/*", "https://www.google.co.th/*", "http://www.google.co.th/*", "https://www.google.com.tj/*", "http://www.google.com.tj/*", "https://www.google.tl/*", "http://www.google.tl/*", "https://www.google.tm/*", "http://www.google.tm/*", "https://www.google.tn/*", "http://www.google.tn/*", "https://www.google.to/*", "http://www.google.to/*", "https://www.google.com.tr/*", "http://www.google.com.tr/*", "https://www.google.tt/*", "http://www.google.tt/*", "https://www.google.com.tw/*", "http://www.google.com.tw/*", "https://www.google.co.tz/*", "http://www.google.co.tz/*", "https://www.google.com.ua/*", "http://www.google.com.ua/*", "https://www.google.co.ug/*", "http://www.google.co.ug/*", "https://www.google.co.uk/*", "http://www.google.co.uk/*", "https://www.google.com.uy/*", "http://www.google.com.uy/*", "https://www.google.co.uz/*", "http://www.google.co.uz/*", "https://www.google.com.vc/*", "http://www.google.com.vc/*", "https://www.google.co.ve/*", "http://www.google.co.ve/*", "https://www.google.vg/*", "http://www.google.vg/*", "https://www.google.co.vi/*", "http://www.google.co.vi/*", "https://www.google.com.vn/*", "http://www.google.com.vn/*", "https://www.google.vu/*", "http://www.google.vu/*", "https://www.google.ws/*", "http://www.google.ws/*", "https://www.google.rs/*", "http://www.google.rs/*", "https://www.google.co.za/*", "http://www.google.co.za/*", "https://www.google.co.zm/*", "http://www.google.co.zm/*", "https://www.google.co.zw/*", "http://www.google.co.zw/*", "https://www.google.cat/*", "http://www.google.cat/*" ] }, { "js": [ "js/contentscripts/utils.js", "js/contentscripts/clobberstorage.js", "js/contentscripts/fingerprinting.js" ], "run_at": "document_start", "matches": [ "<all_urls>" ], "all_frames": true, "match_about_blank": true }, { "js": [ "js/contentscripts/socialwidgets.js", "js/contentscripts/supercookie.js" ], "run_at": "document_idle", "matches": [ "<all_urls>" ], "all_frames": true, "match_about_blank": true } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "minimum_chrome_version": "121.0", "declarative_net_request": { "rule_resources": [ { "id": "dnt_signal_ruleset", "path": "data/dnr/dnt_signal.json", "enabled": true }, { "id": "dnt_policy_ruleset", "path": "data/dnr/dnt_policy.json", "enabled": true }, { "id": "google_gen204_ruleset", "path": "data/dnr/gen204.json", "enabled": true }, { "id": "google_redirect_ruleset", "path": "data/dnr/bypass_redirects.json", "enabled": true } ] }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "data/web_accessible_resources/*" ], "use_dynamic_url": true } ], "browser_specific_settings": { "gecko": { "id": "jid1-MnnxcxisBPnSXQ@jetpack", "strict_min_version": "128.0" }, "gecko_android": { "strict_min_version": "128.0" } } }
Secure Annex (beta)
Coming soon...