Vidyard - Screen Recorder & Screen Capture
β¨ AI-Powered π Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Lets you capture your screen, share your video and track who's watching it, making it a valuable asset for marketers, sales teams and customer support professionals looking to create engaging content and analyze its performance.
Overview
Record your screen or webcam, share your video, and track who's watching it! This screen recorder for Chrome is built to help you sell better. Easily record your webcam, screen, or both in just a few clicks. Share your video with a link and track when your videos get watched.
From prospecting to proposals, Vidyardβs screen recorder makes it easy to connect with more leads, qualify for better opportunities, and close more deals with personalized video.
KEY FEATURES
π₯ Record your screen directly from your browser
β¨ Use AI to write personalized scripts at scale
π Easily share your video link through email, social media, and more
π¬ Get notified whenever someone views your video
π Manage all your Vidyard videos in one place, across devices and teams
π€ΉββοΈ Integrate Vidyard videos with the sales tools your team already uses
OVER 12 MILLION PEOPLE CHOOSE VIDYARD
From HubSpot, Microsoft, LinkedIn, Marketo, Salesforce, and more, Vidyard is the video creation tool built to help sales teams sell better.
Screen Recorder
- Record your screen to create HD sales videos
- Record videos wherever you are with Vidyardβs iOS, Android, and desktop apps
- Use AI to write speaker notes and deliver your message with confidence
- Access on-screen drawing tools to highlight important information and drive your message home
Edit Your Videos
Trim your videos to remove unwanted footage
Stitch multiple videos together into one, so you donβt have to master the perfect single take
Choose an animated thumbnail from your footage
Share Your Videos Everywhere
- Share a link to your video via email, social, or however you communicate for freeβno downloads or attachments
- Embed videos for inline playback on your website, blog, landing pages, and more
- Easily share videos to Facebook, Twitter, and LinkedIn with just a couple of clicks
Measure Video Success
- Get notified whenever anyone watches your videos
- Track engagement to see whoβs watching your videos and for how long
- Integrate Vidyard with your CRM to quantify video pipeline, revenue, and ROI
Vidyard is the Video Platform Built for Sales
From easy video creation to powerful video analytics; from small business to enterprise. Vidyardβs free screen recording platform has all the features your business needs to connect with your audience, drive engagement, and delight your customers, wherever they are.
About Vidyard
Vidyard is the leading video platform for salespeople. More than 250,000 companies use its video messaging and video hosting tools to engage their customers and prospects more effectively.
(Please note, this extension was previously named Vidyard GoVideo.)
Tags
Privacy Practices
Security Analysis
Permissions
Code Patterns Detected
External Connections
Package Contents 195 files Β· 79.5MB
What This Extension Does
This extension records your screen and webcam to create personalized sales videos, which can be shared and tracked for engagement.
Permissions
- storageexpected: Lets the extension save settings or data locally on your computer. A user might care if they're concerned about privacy of their browsing habits or personal information stored by extensions.
- tabsexpected: Allows the extension to view and interact with your open browser tabs. This is needed if it wants to record specific pages or inject scripts into them.
- webNavigationexpected: Enables the extension to track when you navigate between web pages. Useful for logging video engagement but could also log sensitive navigation behavior.
- scriptingexpected: Lets the extension inject JavaScript into web pages. This is necessary for screen recording functionality but could also allow unauthorized code execution.
- notificationsexpected: Allows the extension to show pop-up messages in your browser. This is used for alerts like when someone views a video.
- activeTabexpected: Gives the extension access to the currently active tab only when triggered by user action (like clicking a button). This is standard and generally safe.
- offscreenexpected: Enables the extension to run background tasks even when no visible UI is present. Needed for recording screen or audio in the background.
- system.displayexpected: Used to access display information such as resolution or monitor count. Necessary if the extension needs to record multiple screens.
- alarmsexpected: Enables scheduling background tasks at specific intervals. May be used to periodically check video analytics or sync data.
- tabGroupsexpected: Allows grouping and managing tabs together. This is likely used for organizing video-related tasks but doesn't pose a direct risk.
- downloadsexpected: Permits the extension to download files directly from the internet into your browser's downloads folder.
- <all_urls>check this: Gives the extension broad permission to interact with any website you visit. This is a major concern because it allows access to all web traffic, including private information. β 1
Your Data
The extension can access and send data to several external servers, including Vidyardβs own services and analytics providers. It may collect information about your browsing behavior or video interactions.
Code Findings
The code uses innerHTML to insert content into web pages. This can be risky if that inserted content comes from an untrusted source, as it might allow attackers to run malicious scripts.
π‘ Common practice in extensions that modify page content dynamically based on user actions or data fetched from APIs.
The extension makes network requests to external servers. This is normal for an app that uploads videos and tracks analytics, but it's worth noting.
The extension listens to keyboard events, which could be used to capture keystrokes or track user input β a potential privacy concern.
Trustworthiness
- Developer: Developer name is not listed in the scan data; no clear indication of company or support links.
- Privacy Policy: No privacy policy was found during scanning. This raises concerns about how user data may be handled, especially given the wide permissions and access to sensitive sites like Gmail and LinkedIn.
- Install Base: Installed by 300,000 users. Recent updates suggest ongoing maintenance.
This extension appears consistent with its purpose, but the <all_urls> permission means it can access all websites you visit and potentially collect sensitive data from any site β including private emails or business documents. Users should carefully consider whether they trust this level of access before installing.
Extension Overview
This extension records your screen and webcam to create personalized sales videos, which can be shared and tracked for engagement.
Permissions
- storageexpected: Exposes Chrome's storage API allowing read/write access to extension-managed local storage (chrome.storage.local). An attacker could potentially extract saved credentials, session tokens, or usage patterns from this area. Not inherently risky unless misused for data exfiltration.
- tabsexpected: Grants access to chrome.tabs API including tab content, URL information, and ability to manipulate tabs (e.g., close, activate). Could be used by an attacker to monitor browsing activity or inject malicious code into active tabs.
- webNavigationexpected: Provides access to chrome.webNavigation API, which allows monitoring of page load events and URL changes across all tabs. Could be leveraged by an attacker to observe user activity or detect sensitive sites visited.
- scriptingexpected: Grants access to chrome.scripting API, enabling injection of scripts into arbitrary tabs or frames. If misused, this can lead to full page compromise or data theft from targeted domains.
- notificationsexpected: Exposes chrome.notifications API, which can display system-level notifications. While not directly harmful, could be abused for phishing or misleading UI prompts if combined with other permissions.
- activeTabexpected: Provides limited access via chrome.tabs API restricted to current tab. Only usable after direct user interaction, so low risk unless combined with other permissions.
- offscreenexpected: Allows creation of offscreen documents via chrome.offscreen API, useful for long-running processes like screen capture without needing a popup window.
- system.displayexpected: Exposes chrome.system.display API, which provides details about connected displays and screen geometry. Could potentially be used for fingerprinting purposes.
- alarmsexpected: Grants access to chrome.alarms API, allowing periodic execution of code in the background service worker. Could enable persistent tracking or automated actions if misused.
- tabGroupsexpected: Provides access to chrome.tabGroups API, enabling tab organization features. No significant security implications unless combined with other permissions.
- downloadsexpected: Grants access to chrome.downloads API, allowing file retrieval and saving. Could be misused for downloading malware or sensitive data if not properly controlled.
- <all_urls>check this: Grants full read/write access to all URLs via chrome.declarativeNetRequest and content script injection capabilities. Allows interception of network requests, modification of page content, and potential data exfiltration from any site visited by the user. This permission is excessive for a screen recorder unless it's performing deep integration with many platforms. β 1
Data Exposure (Technical)
External domains contacted include api.vidyard.com, secure.vidyard.com, s3.amazonaws.com, avatar.vidyard.com, auth.vidyard.com, extension-backend.vidyard.com, rollbar.com, heapanalytics.com, goodbye.vidyard.com, and sso.vidyard.com. Data transmitted likely includes cookies, page content (for injection), keystrokes during recording, video metadata, and potentially user identifiers or session tokens depending on how the extension handles authentication.
Code Findings
Detected use of innerHTML assignment in a content script or injected code context (e.g., document.body.innerHTML = ...). If the value being assigned is derived from user input or external sources, this creates a potential XSS vector. The risk depends on whether the source is static or dynamic and how it's sanitized.
π‘ Common practice in extensions that modify page content dynamically based on user actions or data fetched from APIs.
Code generates HTTP(S) requests using fetch or XMLHttpRequest APIs targeting various domains including api.vidyard.com and s3.amazonaws.com. These are likely used for uploading recordings, syncing data, or retrieving configuration settings. No evidence of insecure protocols like plain HTTP were found.
Detected use of addEventListener('keydown', ...) in content scripts or background context. If this listener captures sensitive inputs like passwords or personal messages, it represents a significant risk for data theft. The extension may also be capturing global key combinations used to trigger screen recording features.
Code Analysis
- Obfuscation: Standard minification observed; no heavy obfuscation techniques such as control flow flattening or string encoding detected.
- Content Security Policy: Content Security Policy is present and restricts script execution within extension pages. It allows 'self' scripts and wasm-unsafe-eval, which may be acceptable for legitimate functionality but should still be reviewed carefully to ensure no unsafe inline code can execute.
- Architecture: Uses Manifest V3 architecture with background service worker and content scripts injected into specific domains (e.g., Gmail, LinkedIn). The extension appears designed around a modular approach where different parts of the UI are handled by distinct content scripts. However, <all_urls> permission implies broad access that isn't clearly justified for core functionality.
Transparency
- Developer: Developer name is not listed in the scan data; no clear indication of company or support links.
- Privacy Policy: No privacy policy was found during scanning. This raises concerns about how user data may be handled, especially given the wide permissions and access to sensitive sites like Gmail and LinkedIn.
- Code Visibility: Code appears bundled/minified with standard JavaScript compression techniques; not easily readable for independent auditing without decompilation tools.
- Install Base: Installed by 300,000 users. Recent updates suggest ongoing maintenance.
The presence of <all_urls> creates a high-risk surface area for potential misuse, especially when combined with content script injection capabilities and keyboard event listeners. The extension's architecture allows broad interception of network traffic and DOM manipulation across all domains, which could enable advanced persistent tracking or data exfiltration if exploited. While no direct evidence of malicious behavior was found, the risk profile is elevated due to excessive permissions and lack of transparency in developer identity or privacy policy.