Elcorn Extension

Name: Security Analysis: Elcorn Extension
Item: Elcorn Extension
Rating: 5
Author: ChromeBoard

✨ AI-Powered 🔍 Security Report Available

👥 6 users

📦 v1.0.5

💾 320KiB

📅 2026-01-24

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

A smart extension that helps you manage leads more efficiently with quick, AI-powered reply suggestions and streamlined conversation tracking.

Boost your productivity with an AI-driven extension that ensures faster follow-ups.

It works directly alongside WhatsApp to help teams stay organized, respond faster, and reduce manual effort—without changing how they already communicate.

Instead of switching between spreadsheets, notes, and chat windows, the extension brings structure to WhatsApp conversations by helping you manage leads, track interactions, and act on them at the right time.

With built-in AI support, it assists users with quick reply suggestions, helping teams respond consistently and faster while still keeping conversations natural and human. This is especially useful when handling repetitive questions, enquiries, or follow-ups throughout the day.

The extension also helps streamline conversation tracking, so important chats don’t get lost as message volumes grow. Teams gain better visibility into ongoing conversations, pending responses, and lead status—making it easier to prioritize and follow up without relying on memory or manual reminders.

Key benefits include:
-Faster responses with AI-assisted reply suggestions
-Better organization of WhatsApp conversations
-Improved lead handling and follow-up efficiency
-Reduced manual work and context switching
-Increased productivity for sales and support teams

This tool is ideal for small and growing businesses that use WhatsApp as a primary communication channel and want more control, clarity, and efficiency—without the complexity of traditional systems.

Simple to use, lightweight, and built for real-world workflows, the extension helps teams stay on top of conversations and focus more on closing deals and helping customers, rather than managing chaos.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v1.0.5 Info Scanned Mar 3, 2026

Security Analysis — Elcorn Extension

Analyzed v1.0.5 · Mar 3, 2026 · 40 JS files · 1185 KB scanned

Permissions

Code Patterns Detected

External Connections

crm.elcorn.com chat.whatsapp.com api.elcorn.com whatsapp.com www.whatsapp.com www.w3.org analytics.google.com wajsapi.titanchat.com.br wppc-linkpreview.cloudtrix.com.br wa.me

Package Contents 51 files · 1.2MB

▾📁_metadata7KB

{}verified_contents.json7KB

▾📁icons21KB

🖼elcorn-logo-circle.png18KB

🖼icon.svg1KB

🖼icon128.png872B

🖼icon16.png138B

🖼icon32.png338B

🖼icon48.png390B

▾📁scripts1.1MB

▾📁modules82KB

📜AiAutoResponder.js6KB

📜SimpleAIPoller.js4KB

📜crm-api-bridge.js3KB

📜crm-api-client.js8KB

📜crm-chat-categorizer.js4KB

📜crm-conversation-manager.js2KB

📜crm-followup-manager.js5KB

📜crm-lead-manager.js3KB

📜crm-message-handler.js3KB

📜crm-notifications.js7KB

📜crm-ui-panels.js12KB

📜crm-wpp-integration.js4KB

📜quick-reply-manager.js5KB

📜session-manager.js14KB

▾📁utils41KB

📜cache-manager.js5KB

📜dom-helpers.js3KB

📜error-suppressor.js2KB

📜html-helpers.js2KB

📜lazy-loader.js1KB

📜message-debouncer.js770B

📜message-detection.js6KB

📜message-serializer.js2KB

📜performance-monitor.js3KB

📜phone-utils.js3KB

📜request-utils.js2KB

📜resource-manager.js2KB

📜safe-listener.js552B

📜sleep.js108B

📜smart-scheduler.js3KB

📜store-initializer.js2KB

📜wpp-helpers.js3KB

📜crm-ui-clean.js413KBlarge

📜w-ui.js95KBlarge

📜wa-inject.js456KBlarge

📜wa-ui-components.js22KB

📜wpp-init.js1KB

▾📁styles20KB

🎨crm-styles.css20KB

📜background.js4KB

🎨content.css5KB

📜content.js62KBlarge

📜injected.js6KB

{}manifest.json3KB

🌐popup.html6KB

📜popup.js2KB

What This Extension Does

The Elcorn Extension is a productivity tool that helps manage leads on WhatsApp by providing AI-powered reply suggestions, conversation tracking, and lead status visibility. It's designed for small businesses using WhatsApp as their primary communication channel. However, its functionality and permission scope raise some concerns about data exposure and potential security risks.

Permissions Explained

storageexpected: This lets the extension store and retrieve data on your device, such as lead information and conversation history.
Technical: The extension has access to browser storage through the chrome.storage API, which allows it to read and write data. This could potentially expose sensitive user data if compromised.
https://web.whatsapp.com/*expected: This lets the extension interact with WhatsApp web, allowing it to access your conversations and send/receive messages on your behalf.
Technical: The extension injects a content script into WhatsApp web pages, giving it access to page content, including user data. This could potentially expose sensitive information if compromised. ⚠ 1
https://crm.elcorn.com/*expected: This lets the extension send data to Elcorn's CRM server, which is used for lead management and tracking.
Technical: The extension sends data to Elcorn's CRM server using HTTPS, but it's unclear what specific data is being sent. This could potentially expose sensitive user data if compromised. ⚠ 1

Your Data

The extension accesses browser storage and sends data to Elcorn's CRM server, which may include lead information, conversation history, and other sensitive user data. It also interacts with WhatsApp web, potentially exposing page content and user data.

Technical Details

The extension contacts the following domains: crm.elcorn.com, chat.whatsapp.com, api.elcorn.com, whatsapp.com, www.whatsapp.com, www.w3.org, analytics.google.com, wajsapi.titanchat.com.br, wppc-linkpreview.cloudtrix.com.br, wa.me. It uses HTTPS for data transfer but may not encrypt all data types (e.g., cookies).

Code Findings

Eval() usedHigh

The extension uses eval(), which can execute arbitrary code, potentially allowing attackers to inject malicious scripts.

Technical: The extension uses eval() in the background service worker (background.js) to evaluate user input. This could allow an attacker to inject malicious code if they can manipulate the input.

💡 Legitimate extensions may use eval() for dynamic code evaluation, but it's generally considered a high-risk practice.

SetInterval with stringHigh

The extension uses setInterval() with a string argument, which can lead to memory leaks and potential code injection attacks.

Technical: The extension uses setInterval() in the content script (content.js) with a string argument. This could allow an attacker to inject malicious code if they can manipulate the interval function.

💡 Legitimate extensions may use setInterval() for dynamic scheduling, but using strings as arguments is generally considered insecure.

innerHTML assignmentMedium

The extension uses innerHTML assignment, which can lead to XSS vulnerabilities if user input is not properly sanitized.

Technical: The extension uses innerHTML assignment in the content script (content.js) to update page content. This could allow an attacker to inject malicious scripts if they can manipulate the input.

💡 Legitimate extensions may use innerHTML assignment for dynamic content updates, but it's generally considered a medium-risk practice.

Bottom Line

The Elcorn Extension has some concerning security findings, including the use of eval(), setInterval() with strings, and innerHTML assignment. While its functionality is designed to improve productivity, these risks may outweigh the benefits for users. We recommend exercising caution when installing this extension and monitoring its behavior closely.