Unfugly
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Revamp your Academia with a unified dashboard and Auto-generates a downloadable timetable
Tags
Privacy Practices
Security Analysis — Unfugly
Permissions
Code Patterns Detected
External Connections
Package Contents 21 files · 448KB
What This Extension Does
The Unfugly extension, with 210 users, claims to make Chrome more customizable but lacks a description. It has access to sensitive data and network activity.
Permissions Explained
- storageexpected: This permission allows the extension to store and retrieve data on your device.
Technical: The extension can read and write data in Chrome's storage, potentially exposing user data if compromised. The 'storage' API provides access to local storage, which can be used for storing sensitive information such as login credentials or personal data. - https://academia.srmist.edu.in/*check this: This permission allows the extension to access specific websites, potentially enabling features like auto-login or data synchronization.
Technical: The extension has access to the specified domain's resources, which may include sensitive information such as user credentials or personal data. This could be used for unauthorized access or data exfiltration if compromised. ⚠ 1 - https://creatorapp.zoho.com/srm_university/*check this: This permission allows the extension to access specific websites, potentially enabling features like auto-login or data synchronization.
Technical: The extension has access to the specified domain's resources, which may include sensitive information such as user credentials or personal data. This could be used for unauthorized access or data exfiltration if compromised. ⚠ 1 - https://unfugly-backend.onrender.com/*check this: This permission allows the extension to communicate with a remote server, potentially enabling features like cloud synchronization or data backup.
Technical: The extension can send and receive data from the specified domain's server, which may include sensitive information such as user credentials or personal data. This could be used for unauthorized access or data exfiltration if compromised. ⚠ 1
Your Data
The extension accesses storage on your device and sends data to the following domains: academia.srmist.edu.in, creatorapp.zoho.com/srm_university/, unfugly-backend.onrender.com.
Technical Details
Code Findings
This finding indicates that the extension may be vulnerable to cross-site scripting (XSS) attacks, which could allow malicious code to execute on your device.
Technical: The extension uses innerHTML assignment in its content script, which can lead to XSS vulnerabilities if user input is not properly sanitized. This could result in unauthorized access or data exfiltration if an attacker injects malicious code.
💡 innerHTML assignment is commonly used for dynamic content rendering in legitimate extensions.
This finding indicates that the extension uses obfuscation techniques, which can make it harder to analyze or debug the code.
Technical: The extension uses charCodeAt() function in its JavaScript files, which is often used for string manipulation and encoding. However, in this context, it may be used for obfuscating code or hiding malicious intent.
💡 charCodeAt() is a legitimate function for string manipulation in JavaScript.
This finding indicates that the extension uses modern web APIs to make network requests, which can improve performance and security.
Technical: The extension uses the Fetch API for making HTTP requests, which is a secure and efficient way to communicate with remote servers. However, this does not necessarily indicate any security concerns.
💡 Fetch API is commonly used in modern web applications for network requests.
This finding indicates that the extension monitors changes to your device's storage, which can be used for tracking user activity or detecting sensitive data.
Technical: The extension uses Chrome's storage API to monitor changes to local storage, which can be used for tracking user activity or detecting sensitive data. This could result in unauthorized access or data exfiltration if an attacker exploits this capability.
💡 Monitoring storage changes is commonly used in legitimate extensions for features like auto-login or data synchronization.
This finding indicates that the extension creates iframe elements, which can be used to load external content or track user activity.
Technical: The extension uses document.createElement('iframe') in its content script, which can create new iframe elements. This could result in unauthorized access or data exfiltration if an attacker exploits this capability.
💡 Creating iframe elements is commonly used in legitimate extensions for features like auto-login or data synchronization.
Based on the findings, we recommend exercising caution when using the Unfugly extension. While it has some legitimate uses, its potential vulnerabilities and data exposure raise concerns about user security. We suggest users carefully review their permissions and consider alternative extensions for customization.
