Google Meet Breakout by Robert Hudek
๐ Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Blocks unwanted distractions during Google Meet sessions with Google Meet Breakout By R, a free Chrome extension that lets teachers control breakout rooms and integrates seamlessly with Google Classroom, providing a private and distraction-free learning environment for students. Benefits most educators who want to streamline their virtual classroom experience without compromising on data security or user privacy.
Overview
Welcome to Google Meet Breakout Rooms Extension
***** Only the teacher needs to install this extension. *****
***** Please do not ask your students to install it, as they will not use it ****
Three Minute Demonstration: https://youtu.be/HY5eZw-gsKU
Full feature demo: https://youtu.be/MyiKG35I7Rc
NEW Feature: Practice using the Extension on your own computer by simulating students, perfect for teachers to rehearse before going live.https://youtu.be/QMurrSyCPmY
The Google Meet Breakout Rooms Extension has 5 key features:
1) See All Students: The teacher can always see ALL of the students in ALL of the breakout rooms.
2๏ผFree: The extension is completely free to use. I am a software engineer and created this for my personal use as a teacher and then improved it for all teachers to use. I make no money off of this extension, there are no ads, and no data is shared with me or any third parties.
3) Private: Your breakout rooms data is privately stored in your personal computer's chrome browser. Your breakout rooms data is NOT shared with anyone and it is NOT stored on a server. Even the creator of this extension has no knowledge of any of your data.
4) Hassle-free: Only the teacher needs to install this extension. Please do not ask your students to install it, as they wonโt need to use it. The extension is only for the teacher, and it will not affect the students in any way. Students will continue to use Google Meet as they normally do.
5) Online Help: The online help menu is completely updated and now has screen shots of every step of the way for setup and operation.
*** 3 minute demo video https://www.youtube.com/watch?v=HY5eZw-gsKU
*** Tutorial https://www.youtube.com/watch?v=mLag62gSUMY
This software is created by Robert Hudek and all rights are reserved. No part of this extension may be copied without the express written consent of Robert Hudek at Hudek Tech LLc. This extension is not affiliated with Google, Inc.
Functions:
1) Breakout rooms may be viewed in either tab or tiled mode
2) A slider may be used to quickly move between rooms
3) Breakout assignments may be created at any time or in advance if desired
4) Teachers may broadcast their video and audio to all the breakout rooms
5) Customize themes!
6) Can use Google Meet Nicknames (if your Google subscription supports nicknames)
7) Basic reporting
8) Mute and Remove Students buttons
9) Import, Export functions
10) Google classroom integration
*** Slovak: A big thank you to Lenka Zustiakovรก from SOล GaHS, Farskรฉho 9 in Petrลพalka (www.farskeho.sk) for the translation into Slovak.
*** Ukrainian: A big thank you to Igor Kozachuk (email: disk.igor@gmail.com) for the translation into Ukrainian
*** If you want a translation of this extension to your language, please send me an email and I will be happy to work with you to get this done. My email is robert@hudektech.com. I would like to add Spanish, Portuguese, German, Japanese, and Korean but any language is fine with me.
*** ไธญๆ็็่ชชๆๆไฝๅฝฑ็ (version 17.3)๏ผhttps://youtu.be/5oGmIL3pmP4
*** ๆ่ฃฝไฝไบๅฝฑ็็ๆฌ๏ผversion 17.3) ๅพ๏ผ็ผ็พไบ Grid Meet (fix) ๅฅฝๅๆๅ้ก๏ผๆไปฅๆไธๅปบ่ญฐไธ่ผๅฎ๏ผ่ฆไธ็ถ่ฝ็จgoogle meet ๆฌ่บซ็ๅ่ฝใ็จgoogle meet ๅๆฌ็ๅ่ฝ๏ผๅจ่จญๅฎ๏ผ่ฎๆด็้ข้ ็ฝฎ๏ผ้ธไธฆๆ๏ผๆๅฐ49ไบบ
*** Low Memory (RAM) Option explained in detail https://youtu.be/tKkSSghEyuo
*** This extension is owned and developed by Robert Hudek. This extension is independent from Google and is not owned by or part of Google or Google Meet. This extension is designed to enhance and extend the functionality of Google Meet.
*** If you find a problem please inform me at robert@hudektech.com and I will try my best to reply as soon as I can.
Data Privacy:
I have a detailed data privacy section on my web page, but the short version is that I do not copy, transmit or share any of your data with anyone including myself. I also do not use cookies, nor do I drop third party cookies on you.
Warranty and Guarantee:
There is no warranty and there is no guarantee for this extension. I have a
detailed warranty (none) and guarantee (none) description on my web page but the short version is this: By using this Extension, you understand and agree that the Extension is provided "as is" and "as available".
The developer Robert Hudek EXPRESSLY DISCLAIMS ALL WARRANTIES AND CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
Tags
Privacy Practices
Security Analysis
Permissions
Code Patterns Detected
External Connections
Package Contents 143 files ยท 6.3MB
What This Extension Does
This extension adds breakout room management features to Google Meet for teachers, allowing them to view and control student groups during meetings.
Permissions
- storageexpected: Lets the extension save data locally on your computer, like settings or room assignments. This is normal for extensions that remember user preferences.
- activeTabexpected: Allows the extension to interact with the currently active browser tab โ useful for modifying content in Google Meet without needing access to other tabs.
- contextMenusexpected: Enables custom menu items in the browser context menu when using Google Meet โ for example, adding shortcuts or actions directly from right-clicking on a meeting page.
- downloadsexpected: Allows the extension to download files from your computer โ for example, exporting breakout room data or logs. This is standard functionality in productivity tools.
- scriptingexpected: Enables the extension to inject JavaScript into web pages โ necessary for modifying Google Meetโs interface and functionality in real time.
- https://g.co/meet/*expected: Gives the extension permission to access Google Meet URLs โ required since it modifies how meetings work and interacts with the platform directly. โ 1
- https://*.google.com/*check this: Grants access to all Google domains โ needed for integration with services like Classroom and authentication flows, but raises concerns about broad scope. โ 1
Your Data
The extension stores information about breakout rooms locally on your device and may send some data to external servers for updates or support. It does not share personal details with third parties unless explicitly requested.
Code Findings
The extension uses a method that can insert HTML content into web pages โ which is risky if the inserted code comes from an untrusted source.
๐ก Common in extensions that modify page UI by injecting dynamic HTML components, especially when building interactive dashboards or controls.
The extension assigns content directly to an element's innerHTML property โ which can be dangerous if the assigned value is not properly escaped.
๐ก Standard practice for updating UI elements dynamically; however, it must be done carefully with sanitized inputs.
The extension makes network calls to external servers โ which is normal but should always use secure connections.
Trustworthiness
- Developer: Developer listed as Robert Hudek from Hudek Tech LLC; website exists at www.hudektech.com and includes contact info.
- Privacy Policy: A privacy policy is referenced but not included directly in the scan data. Based on developer claims, it should cover local storage usage and non-sharing of user data with third parties.
- Install Base: Installed by 300,000 users with recent updates suggesting ongoing maintenance.
This extension appears consistent with its purpose, but the broad network permissions (especially access to all Google domains) mean users should be cautious about installing it if they're concerned about data exposure beyond what's necessary for managing breakout rooms.
Extension Overview
This extension adds breakout room management features to Google Meet for teachers, allowing them to view and control student groups during meetings.
Permissions
- storageexpected: Grants access to Chrome's
chrome.storageAPI which allows persistent storage of key-value pairs in the browserโs local storage area. An attacker could potentially read or modify stored data if they gain control over the extension, including sensitive session information or configuration details. - activeTabexpected: Provides read/write access to the current tab via
chrome.tabsandchrome.scriptingAPIs. It can inject scripts into the active tab, execute code on it, or retrieve its URL/content. If compromised, this permission allows an attacker to manipulate content in real-time within Meet sessions. - contextMenusexpected: Exposes
chrome.contextMenusAPI which allows creation of menus that appear when users right-click within pages matching specified patterns. This could be used to inject malicious behavior into user workflows if misused by an attacker with elevated privileges. - downloadsexpected: Grants access to
chrome.downloadsAPI enabling file downloads and management within Chrome. If misused, it could allow downloading of sensitive local files or executing arbitrary downloads based on user interaction with the extension UI. - scriptingexpected: Provides access to
chrome.scriptingAPI, allowing injection of scripts into specified origins (like meet.google.com). This is essential for content modification but also opens up potential attack vectors if injected code contains vulnerabilities or is manipulated by an attacker. - https://g.co/meet/*expected: Permits network access to all subdomains under g.co/meet, including potential interception or modification of requests made during a meeting. If compromised, this could allow an attacker to monitor or alter communication between users in Google Meet rooms. โ 1
- https://*.google.com/*check this: Allows network-level access across any subdomain of google.com including accounts.google.com, classroom.google.com, etc. This is a high-risk permission because it enables potential interception or manipulation of sensitive data such as login tokens, meeting IDs, or user identities during authentication flows or meetings. โ 1
Data Exposure (Technical)
Accesses multiple domains including meet.google.com, g.co, accounts.google.com, classroom.google.com, hudektech.github.io, www.hudektech.com, stackoverflow.com, popper.js.org, bugzilla.mozilla.org, github.com, and stackpath.bootstrapcdn.com. Data transmitted includes potentially identifying metadata related to breakout room assignments or user actions within Meet sessions. No evidence of encryption for outbound traffic is present in the manifest; some endpoints are HTTP rather than HTTPS.
Code Findings
Detected usage of document.write() in one or more JavaScript files, typically used to dynamically inject HTML. This pattern poses a risk for cross-site scripting (XSS) vulnerabilities if input values are not sanitized before insertion into DOM elements like innerHTML or directly via document.write(). The injection occurs within content scripts running on meet.google.com.
๐ก Common in extensions that modify page UI by injecting dynamic HTML components, especially when building interactive dashboards or controls.
Found instances where element.innerHTML = ... was used, indicating possible exposure to XSS attacks. These assignments occur in contexts that may receive user-provided or remote data without sanitization, particularly within content scripts operating on meet.google.com pages.
๐ก Standard practice for updating UI elements dynamically; however, it must be done carefully with sanitized inputs.
Detected outbound HTTP requests to domains like hudektech.com, github.io, and others. These are likely for fetching updates or support documentation. However, no HTTPS enforcement was observed in manifest or CSP policies, raising concerns about data interception risks.
Code Analysis
- Obfuscation: Code appears to be minified but not heavily obfuscated; identifiers have been shortened and whitespace removed, which is typical for production builds.
- Content Security Policy: No Content Security Policy (CSP) header was found in the extension manifest or injected scripts. This leaves the extension vulnerable to XSS attacks due to lack of restrictions on inline script execution or external resource loading.
- Architecture: Built as a Manifest V3 extension with background service worker and content scripts injected into meet.google.com pages. Uses chrome.scripting API for dynamic injection, which is standard for this type of tool. No anomalies detected in manifest structure.
Transparency
- Developer: Developer listed as Robert Hudek from Hudek Tech LLC; website exists at www.hudektech.com and includes contact info.
- Privacy Policy: A privacy policy is referenced but not included directly in the scan data. Based on developer claims, it should cover local storage usage and non-sharing of user data with third parties.
- Code Visibility: Source code appears to be bundled/minified rather than publicly available for independent review; this limits transparency and auditability.
- Install Base: Installed by 300,000 users with recent updates suggesting ongoing maintenance.
The extension exposes a significant attack surface through high-risk permissions like https://*.google.com/* and lacks a Content Security Policy, increasing the risk of XSS or man-in-the-middle attacks. The use of document.write() and innerHTML assignments in content scripts indicates potential vulnerabilities that could be exploited if user input is not properly sanitized. While most behavior aligns with stated functionality, further manual inspection would be needed to confirm whether data handling practices meet privacy claims.