Rss Subscription Extensio
π Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Adds one-click subscription to your toolbar.
Tags
Privacy Practices
Security Analysis
Permissions
Code Patterns Detected
External Connections
Package Contents 61 files Β· 466KB
What This Extension Does
This extension adds one-click subscription to your toolbar and allows you to easily subscribe to RSS feeds.
Permissions vs. Purpose
- tabsexpected: Allows the extension to interact with web pages in your browser, including reading and modifying their content.
- storageexpected: Enables the extension to store data locally on your device, such as subscription settings or feed information.
- scriptingexpected: Allows the extension to run JavaScript code in the context of web pages you visit, which can be used for dynamic UI elements and other functionality.
- http://*/*check this: Gives the extension permission to make HTTP requests to any website, which could potentially allow it to access sensitive information or transmit data without user consent.
- https://*/*check this: Similar to http://*/*, but for HTTPS websites. This is a broad permission that could be used for legitimate purposes, but also raises concerns about potential misuse.
Data Exposure
This extension can access user data stored in web pages and make requests to any website. It sends data to external domains including github.com, www.ecma-international.org, www.newsblur.com, add.my.yahoo.com, feedly.com, www.inoreader.com, theoldreader.com. Some of these transmissions appear to use insecure channels.
Code Behavior Findings
The extension uses eval(), which can execute arbitrary code and potentially allow malicious scripts to run in the context of web pages you visit.
π‘ eval() is sometimes used for dynamic UI elements or other functionality, but it's generally considered a security risk due to its potential for abuse.
β This usage could be related to the extension's need to dynamically render RSS feed information in the browser.
The extension makes HTTP requests to external domains, which can potentially allow it to access sensitive information or transmit data without user consent.
π‘ Making HTTP requests is a common practice for extensions that need to fetch data from external sources, such as RSS feeds.
Transparency Indicators
The developer is not identified. The code does not appear to be heavily obfuscated beyond normal bundling. There is no content security policy in place. The extension has an install base of 400,000 users and the latest version (2.2.9) was released recently.
This scan found some concerning behavior, including the use of eval() and broad permissions that could be used for malicious purposes. Users should exercise caution when installing this extension and consider reviewing its permissions and code before granting it access to their browser.