Dialpad Chrome Cti
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
The Dialpad Chrome Extension makes calling and texting in your Chrome browser a breeze. Seamlessly click to call or text any phone number that appears in your browser and access powerful Dialpad features including your communications history, contact profiles, and call center status without leaving Chrome. Users can set up the Chrome extension in minutes and choose to use the extension in multiple preset apps without any additional configuration.
Click to call and text:
Hover over numbers within your chrome browser tab to seamlessly dial and send messages with Dialpad. Click on Dialpad links even when they are not recognized as hyperlinks.
Chrome CTI dialer:
Use the CTI to make and receive calls without leaving Chrome. Choose to set your call center status, set yourself to do-not-disturb, manage your contacts, and view all your recent communications history all within the dialer.
Effortless setup:
Use the CTI with preset websites. No additional configuration needed.
Customizable settings:
Opt out of preset websites or set up your own through your Dialpad web settings.
Getting started:
1)Download the extension
2)Click on the Puzzle Icon (Extensions) on the top right
3)Click on Dialpad CTI Extension
4)Log-in
5)Make sure you are on a Google website/domain* and refresh your browser tab
6)Click on Dialpad CTI Extension again and ‘Launch CTI’
Note: For websites that are not included with the package, like your own company page or preferred website/email/system, you’ll need to add the domains to your Dialpad Settings first. Please refer to this article (https://help.dialpad.com/hc/en-us/articles/4496324816795) to get started.
Tags
Privacy Practices
Security Analysis — Dialpad Chrome Cti
Permissions
Code Patterns Detected
External Connections
What This Extension Does
The Dialpad Chrome CTI extension allows users to make calls and send messages directly from their browser by integrating with the Dialpad service. It solves the problem of switching between applications when communicating, especially for professionals who rely on phone systems within web-based tools. This tool is primarily aimed at business users or those using Dialpad's communication platform.
Permissions Explained
- tabsexpected: This lets the extension see and interact with all open browser tabs, which it needs to monitor page content for phone numbers and inject its functionality.
Technical: Grants access to Chrome's Tab API allowing read/write access to tab data including URL, title, and content. If compromised, could enable tracking of browsing behavior or manipulation of web pages. - notificationsexpected: Used to show alerts when actions like calling or messaging are completed or triggered.
Technical: Accesses Chrome's Notification API for displaying UI notifications. No sensitive data is exposed, but could be misused for phishing or spam if abused. - storageexpected: Stores user settings and preferences locally in the browser so that the extension remembers your configuration across sessions.
Technical: Uses Chrome's Storage API to persist data like login tokens, domain lists, or UI states. If compromised, could expose personal communication history or settings. - identityexpected: Allows the extension to authenticate users with their Dialpad accounts and manage access tokens for secure login.
Technical: Accesses Chrome's Identity API, which enables OAuth-based authentication flows. If misused, could allow unauthorized account access or impersonation. - contextMenusexpected: Enables the extension to add custom menu items in the browser context menu (e.g., right-click options) for quick actions like calling a number.
Technical: Uses Chrome's Context Menus API, which allows creation of menus that can trigger scripts or open URLs. Could be used maliciously if misconfigured to inject unwanted behavior. - scriptingexpected: Lets the extension run JavaScript code on web pages, enabling features like detecting phone numbers and injecting call buttons.
Technical: Grants access to Chrome's Scripting API for injecting content scripts into tabs. This is essential for functionality but can be exploited if not properly sandboxed or validated. - enterprise.hardwarePlatformexpected: Used only in enterprise environments to access hardware-specific information, likely for compatibility checks.
Technical: Accesses Chrome's Enterprise Hardware Platform API. Not relevant for standard users and may be used for device identification or policy enforcement in business settings. - https://dialpad.com/*expected: This permission allows the extension to communicate with Dialpad's servers, which is necessary for logging in and syncing communication data.
Technical: Grants full access to dialpad.com domains including cookies, tokens, and page content. If compromised, could allow unauthorized access to user communications or account details.
Your Data
The extension accesses local browser data such as tab information and settings, and sends this along with communication metadata (like call logs) to Dialpad's servers. It also interacts with third-party domains like w3.org for potential web standards compliance checks.
Technical Details
Data is sent over HTTPS to dialpad.com and dialpadbeta.com. The extension may transmit cookies, tokens, page content snippets, and user interaction data (e.g., clicked numbers). No explicit encryption details are provided; however, standard TLS 1.2+ should be assumed for network traffic.
Code Findings
The extension uses a method that allows it to execute code dynamically, which can make the behavior unpredictable and harder to analyze.
Technical: Code uses new Function() constructor in one or more JavaScript files. This bypasses static analysis tools and may allow execution of arbitrary code at runtime, potentially leading to remote code injection if input is not sanitized.
💡 Commonly used for dynamic behavior in legitimate extensions that need flexible logic handling (e.g., plugin systems).
The extension assigns HTML content directly into the page, which could allow attackers to inject malicious scripts if input is not properly sanitized.
Technical: Uses element.innerHTML = ... in multiple places. If user-provided or external data flows into this assignment without sanitization, it can lead to cross-site scripting (XSS) vulnerabilities.
💡 Standard practice for rendering dynamic UI elements; however, requires strict validation of inputs.
The extension uses obfuscation techniques to hide code logic, which can make it harder for analysts or users to understand what the extension is doing.
Technical: Code contains calls to String.fromCharCode() and charCodeAt(), often used in obfuscated scripts. This pattern suggests attempts to obscure functionality from casual inspection.
💡 Used by both legitimate and malicious extensions; common in code minification or anti-analysis techniques.
The extension creates new script elements dynamically, which can be used to load and execute external JavaScript — potentially including malicious code.
Technical: Uses document.createElement('script') followed by .src = ... or .text = .... If the source is not controlled or validated, this could allow loading of third-party scripts from untrusted domains.
💡 Used in legitimate extensions to inject libraries or external APIs; however, must be done carefully with trusted sources only.
The extension watches for changes in local storage, which could help it track user behavior or detect configuration updates.
Technical: Uses chrome.storage.onChanged.addListener() to monitor changes. While useful for syncing preferences, this can also be leveraged to observe sensitive data modifications over time.
💡 Standard practice in extensions that rely on persistent settings and need real-time sync behavior.
Adds custom menu options to the browser context menu, which can be used for quick actions but may also introduce unexpected interactions.
Technical: Uses chrome.contextMenus.create() to add items. If not carefully managed, these menus could be manipulated or abused to trigger unwanted behavior on click.
💡 Common in extensions that provide enhanced browser interaction features like copy/paste tools or quick actions.
The extension does not enforce a strict Content Security Policy, which could leave it vulnerable to injection attacks if dynamic content is rendered.
Technical: No CSP header found in manifest or injected scripts. This increases risk of XSS due to lack of restrictions on script sources and inline execution.
💡 Some extensions do not include CSP for simplicity; however, this should be considered a security gap unless mitigated by other means.
The extension injects its content scripts on all web pages, which may increase attack surface or privacy exposure.
Technical: Manifest includes content_scripts with pattern <all_urls>. This means the script runs everywhere and could potentially interfere with security-sensitive sites like banking or email platforms.
💡 Used in extensions that require broad access to web content for features such as number detection, but should be limited where possible.
The Dialpad Chrome CTI extension appears aligned with its stated purpose of enabling browser-based calling and messaging. However, several concerning behaviors were identified including dynamic code execution, obfuscation techniques, and lack of CSP enforcement that raise potential security risks. Users should exercise caution when using this extension, especially on sensitive or private websites where data exposure could occur.
