Endpoint Verification

Name: Security Analysis: Endpoint Verification
Item: Endpoint Verification
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 7M+ users

📦 v1.139.0

💾 1.31MiB

📅 2026-02-09

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

By installing this item, you agree to the Google Terms of Service and Privacy Policy at https://www.google.com/intl/en/policies/.

For more information: https://support.google.com/a/users/answer/9018161

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

🔄 New version v1.139.0 detected — scan automatically queued.

v1.140.0 Info Scanned Mar 4, 2026

Security Analysis — Endpoint Verification

Analyzed v1.140.0 · Mar 4, 2026 · 6 JS files · 2097 KB scanned

Permissions

Code Patterns Detected

External Connections

momentjs.com support.google.com www.apache.org dl.google.com accounts.google.com secureconnect-pa.mtls.clients6.google.com play.google.com opensource.org paulirish.com my.opera.com www.google.com secureconnect-pa.corp.google.com +3 more

Package Contents 38 files · 2.9MB

▾📁_locales8KB

▾📁en8KB

{}messages.json8KB

▾📁css644KB

▾📁material_icons127KB

🔤MaterialIcons-Regular.woff2127KB

🎨material_icons.css536B

▾📁roboto517KB

🔤Roboto-Black.woff264KB

🔤Roboto-Bold.woff263KB

🔤Roboto-BoldItalic.woff269KB

🔤Roboto-Italic.woff269KB

🔤Roboto-Light.woff263KB

🔤Roboto-Medium.woff264KB

🔤Roboto-Regular.woff263KB

🔤Roboto-Thin.woff261KB

🎨roboto.css1KB

▾📁googlelogo3KB

▾📁2x3KB

🖼googlelogo_color_84x28dp.png3KB

🌐background.html139B

📜background_service_worker.js1.9MBlarge

🖼icon_128_normal.png2KB

🖼icon_19_normal.png383B

🖼icon_19_severe.png631B

🖼icon_19_warning.png618B

🖼icon_38_normal.png654B

🖼icon_38_severe.png1KB

🖼icon_38_warning.png1KB

🖼icon_512_normal.png10KB

🌐iframe_sandbox.html3KB

🎨log.css155B

🌐log.html1KB

📜log_script.js26KB

{}manifest.json1KB

🎨material_design_lite.css149KB

📜mdl_all_js_compiled.js62KBlarge

🌐offscreen.html109B

📜offscreen_script.js24KB

🎨options.css432B

🌐options.html2KB

📜options_script.js32KB

🎨popup.css3KB

🌐popup.html5KB

📜popup_script.js26KB

What This Extension Does

The Endpoint Verification extension allows Google Workspace administrators to view laptop and desktop status, including OS, device, and user information. It's designed for productivity and workflow management. With over 7 million users, it's a popular tool for IT administrators.

Permissions Explained

cookiesexpected: This permission allows the extension to access cookies stored on your device.
Technical: The extension can read and write cookies using the chrome.cookies API. This could potentially allow unauthorized access to sensitive data if compromised.
idleexpected: This permission allows the extension to monitor your device's idle state.
Technical: The extension can use the chrome.idle API to detect when you're away from your device. This could potentially be used for malicious purposes if exploited.
nativeMessagingcheck this: This permission allows the extension to communicate with native applications on your device.
Technical: The extension uses the chrome.runtime.connectNative API to interact with native apps. This is a critical risk as it could allow unauthorized access to sensitive data if compromised. ⚠ 1
storageexpected: This permission allows the extension to store and retrieve data on your device.
Technical: The extension uses the chrome.storage API to store and retrieve data. This could potentially be used for malicious purposes if exploited.
alarmsexpected: This permission allows the extension to schedule alarms on your device.
Technical: The extension uses the chrome.alarms API to schedule tasks. This is a medium risk as it could potentially be used for malicious purposes if exploited.
enterprise.deviceAttributescheck this: This permission allows the extension to access device attributes on your device.
Technical: The extension uses the chrome.enterprise.deviceAttributes API to access device information. This is a high risk as it could allow unauthorized access to sensitive data if compromised. ⚠ 1
enterprise.platformKeyscheck this: This permission allows the extension to access platform keys on your device.
Technical: The extension uses the chrome.enterprise.platformKeys API to access platform keys. This is a high risk as it could allow unauthorized access to sensitive data if compromised. ⚠ 1
gcmexpected: This permission allows the extension to use Google Cloud Messaging (GCM) on your device.
Technical: The extension uses the chrome.gcm API to send and receive messages. This is a medium risk as it could potentially be used for malicious purposes if exploited.
identityexpected: This permission allows the extension to access your identity on your device.
Technical: The extension uses the chrome.identity API to access user information. This is a medium risk as it could potentially be used for malicious purposes if exploited.
identity.emailexpected: This permission allows the extension to access your email address on your device.
Technical: The extension uses the chrome.identity API to access user information. This is a medium risk as it could potentially be used for malicious purposes if exploited.
platformKeyscheck this: This permission allows the extension to access platform keys on your device.
Technical: The extension uses the chrome.platformKeys API to access platform keys. This is a high risk as it could allow unauthorized access to sensitive data if compromised. ⚠ 1
enterprise.reportingPrivatecheck this: This permission allows the extension to access private reporting on your device.
Technical: The extension uses the chrome.enterprise.reportingPrivate API to access private reporting. This is a high risk as it could allow unauthorized access to sensitive data if compromised. ⚠ 1
offscreenexpected: This permission allows the extension to run in the background on your device.
Technical: The extension uses the chrome.offscreen API to run in the background. This is a medium risk as it could potentially be used for malicious purposes if exploited.
*://*.google.com/*expected: This permission allows the extension to access Google services on your device.
Technical: The extension uses the chrome.identity API to access user information. This is a medium risk as it could potentially be used for malicious purposes if exploited.

Your Data

The extension accesses device attributes, platform keys, and private reporting on your device. It also sends data to Google services, including accounts.google.com and secureconnect-pa.mtls.clients6.google.com.

Technical Details

The extension contacts the following domains: momentjs.com, support.google.com, www.apache.org, dl.google.com, accounts.google.com, secureconnect-pa.mtls.clients6.google.com, play.google.com, opensource.org, paulirish.com, my.opera.com, www.google.com, and secureconnect-pa.corp.google.com. It uses the Fetch API to send data and sets up event listeners to monitor form inputs.

Code Findings

Potential XSS VectorMedium

The extension assigns innerHTML directly, which could potentially lead to a cross-site scripting (XSS) attack.

Technical: The extension uses the following code pattern: element.innerHTML = data;. This is a medium risk as it could allow an attacker to inject malicious scripts if exploited.

💡 This pattern is commonly used in legitimate extensions for rendering HTML content.

Keystroke CaptureCritical

The extension captures keystrokes on your device, which could potentially be used to steal sensitive information.

Technical: The extension uses the following code pattern: chrome.commands.onCommand.addListener(function(command) { ... });. This is a critical risk as it allows the extension to capture keystrokes and potentially steal sensitive data if exploited.

💡 This pattern is commonly used in legitimate extensions for keyboard shortcuts.

Cross-Origin CommunicationMedium

The extension uses postMessage to communicate with other origins, which could potentially be used for malicious purposes if exploited.

Technical: The extension uses the following code pattern: window.postMessage(data);. This is a medium risk as it allows the extension to communicate with other origins and potentially exploit vulnerabilities if compromised.

💡 This pattern is commonly used in legitimate extensions for communication between web pages.

Bottom Line

The Endpoint Verification extension has several security concerns, including a potential XSS vector, keystroke capture, and cross-origin communication. While it's designed to provide productivity and workflow management features, its permission scope exceeds what's necessary for its stated purpose. We recommend users exercise caution when installing this extension and carefully review the permissions and code behavior before granting access.