Ac Message To

Name: Security Analysis: Ac Message To
Item: Ac Message To
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 2 users

📦 v1.0

💾 457KiB

📅 2023-01-03

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

v1.0

Open WhatsApp chats with any number not saved in your contacts!

--------------------------------------------------------

Inicia chats de WhatsApp con cualquier numero no guardado en tus contactos

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v1.0 Info Scanned Mar 3, 2026

Security Analysis — Ac Message To

Analyzed v1.0 · Mar 3, 2026 · 3 JS files · 969 KB scanned

Permissions

Code Patterns Detected

External Connections

www.w3.org api.whatsapp.com reactjs.org www.paypal.com

Package Contents 18 files · 1.4MB

▾📁_metadata3KB

{}verified_contents.json3KB

▾📁static1.4MB

▾📁css14KB

🎨main.70281906.css10KB

📄main.70281906.css.map3KB

▾📁js1.4MB

📜787.68f04c53.chunk.js4KB

📄787.68f04c53.chunk.js.map10KB

📜main.20e9d7a9.js962KBlarge

📄main.20e9d7a9.js.LICENSE.txt1KB

📄main.20e9d7a9.js.map420KB

🖼Digital_Glyph_Green.png13KB

🖼Logo.png7KB

{}asset-manifest.json517B

📜background.js2KB

🖼favicon.ico4KB

🌐index.html644B

🖼logo192.png5KB

🖼logo512.png9KB

{}manifest.json669B

📄robots.txt67B

What This Extension Does

AC Message To is a Chrome extension that allows users to open WhatsApp chats with any number not saved in their contacts. It's designed for individuals who frequently interact with unknown numbers on WhatsApp. However, its functionality and permissions raise some concerns.

Permissions Explained

storageexpected: This permission lets the extension store data locally on your device.
Technical: The extension can access local storage using Chrome's chrome.storage API. This allows it to save and retrieve data, potentially storing sensitive information if not properly sanitized.
contextMenusexpected: This permission enables the extension to create custom context menu items in your browser.
Technical: The extension uses chrome.contextMenus API to create context menu items. This allows it to inject custom actions into your browsing experience, potentially leading to XSS vulnerabilities if not properly sanitized.
notificationsexpected: This permission lets the extension display notifications in your browser.
Technical: The extension uses chrome.notifications API to display notifications. This allows it to interrupt your browsing experience and potentially distract you from security-related issues.

Your Data

AC Message To accesses local storage on your device and sends data to WhatsApp's API, as well as other external domains. It does not collect any sensitive information from the user.

Technical Details

The extension contacts the following domains: www.w3.org, api.whatsapp.com, reactjs.org, and www.paypal.com. The communication protocol is HTTP, with no encryption observed. The data types exchanged are likely to be JSON objects containing chat metadata.

Code Findings

innerHTML assignment — potential XSS vectorMedium

This finding indicates that the extension uses innerHTML assignments, which can lead to cross-site scripting (XSS) vulnerabilities if not properly sanitized.

Technical: The extension's code contains instances of innerHTML assignment in JavaScript files. This pattern is commonly used for DOM manipulation but can be exploited by malicious scripts if not properly sanitized.

💡 Legitimate extensions often use innerHTML assignments to dynamically update page content, but this requires proper sanitization to prevent XSS attacks.

String.fromCharCode (obfuscation)Medium

This finding suggests that the extension uses String.fromCharCode for obfuscation purposes, which can make it harder to analyze and understand its behavior.

Technical: The extension's code contains instances of String.fromCharCode used in conjunction with other functions. This pattern is often used for obfuscation but can also be indicative of malicious intent.

💡 Legitimate extensions may use String.fromCharCode for encoding or decoding purposes, but this should not obscure the underlying functionality.

Creates context menu itemsInfo

This finding indicates that the extension creates custom context menu items in your browser.

Technical: The extension uses chrome.contextMenus API to create context menu items. This allows it to inject custom actions into your browsing experience, potentially leading to XSS vulnerabilities if not properly sanitized.

💡 Legitimate extensions often use context menus to provide additional functionality or actions for the user.

Shows notificationsInfo

This finding indicates that the extension displays notifications in your browser.

Technical: The extension uses chrome.notifications API to display notifications. This allows it to interrupt your browsing experience and potentially distract you from security-related issues.

💡 Legitimate extensions often use notifications to inform users of important events or updates.

Sets up event listenersInfo

This finding indicates that the extension sets up event listeners for various browser events.

Technical: The extension's code contains instances of addEventListener used to set up event listeners. This allows it to respond to user interactions and other browser events, potentially leading to security issues if not properly sanitized.

💡 Legitimate extensions often use event listeners to provide additional functionality or actions for the user.

Bottom Line

AC Message To is a Chrome extension that raises some concerns regarding its permissions and code behavior. While it provides a useful feature, its potential XSS vulnerabilities and obfuscation patterns warrant further investigation and caution from users.