포커스팡 Focusbuddy

Name: Security Analysis: 포커스팡 Focusbuddy
Item: 포커스팡 Focusbuddy
Rating: 5
Author: ChromeBoard

✨ AI-Powered 🔍 Security Report Available

📦 v3.0.1

💾 2.96MiB

📅 2026-03-26

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

학생용 포커스팡 크롬익스텐션은 선생님께서 수업시간 및 수업 외 시간에 포커스팡을 활용하실 때 사용하시는 잠금기능, 웹제어, 수업시간 외 웹제어 기능이 학생들의 크롬용 포커스팡에서 동작할 수 있도록 기능을 제공합니다.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

⏳ New version v3.0.1 detected — scan in progress.

v2.1.4 Info Scanned Mar 10, 2026

Security Analysis — 포커스팡 Focusbuddy

Analyzed v2.1.4 · Mar 10, 2026 · 9 JS files · 189 KB scanned

Permissions

Code Patterns Detected

External Connections

archive.focuspang.com test.ktor.focuspang.com naver.com student.focuspang.com stackoverflow.com

Package Contents 56 files · 5.3MB

▾📁_locales

▾📁en

{}messages.json205B

▾📁ko

{}messages.json298B

▾📁_metadata9KB

{}verified_contents.json9KB

▾📁assets5.2MB

▾📁css1MB

▾📁nucleo189KB

▾📁css11KB

🎨nucleo-svg.css2KB

🎨nucleo.css9KB

▾📁fonts177KB

📄nucleo-icons.eot18KB

🖼nucleo-icons.svg123KB

🔤nucleo-icons.ttf18KB

🔤nucleo-icons.woff10KB

🔤nucleo-icons.woff28KB

🎨context-select-menu.css462B

🎨default.css625B

🎨forms-tag.css3KB

🎨global.css839KB

🎨jquery.dataTables.min.css16KB

🎨js-snackbar.css3KB

🎨lock-screen.css193B

▾📁data1.1MB

📄sites.txt2KB

📄sound.wav1.1MB

📄words.txt2KB

▾📁js166KB

📜innerhtml.js51B

📜jquery-3.3.1.min.js155KBlarge

📜js-snackbar.js11KB

▾📁vendor2.9MB

▾📁@fortawesome2.9MB

▾📁fontawesome-free2.9MB

▾📁css58KB

🎨all.min.css58KB

▾📁webfonts2.8MB

📄fa-brands-400.eot131KB

🖼fa-brands-400.svg730KB

🔤fa-brands-400.ttf131KB

🔤fa-brands-400.woff88KB

🔤fa-brands-400.woff275KB

📄fa-regular-400.eot33KB

🖼fa-regular-400.svg141KB

🔤fa-regular-400.ttf33KB

🔤fa-regular-400.woff16KB

🔤fa-regular-400.woff213KB

📄fa-solid-900.eot198KB

🖼fa-solid-900.svg897KB

🔤fa-solid-900.ttf198KB

🔤fa-solid-900.woff99KB

🔤fa-solid-900.woff276KB

🎨tailwind.css60KB

🎨theme.css573B

▾📁build23KB

📜background.js13KB

📜contents.js684B

📜lockscreen.js3KB

📜options.js3KB

🎨popup.css311B

📜popup.js3KB

▾📁images25KB

🖼focuspangForChrome_128.png18KB

🖼focuspangForChrome_16.png782B

🖼focuspangForChrome_32.png2KB

🖼focuspangForChrome_48.png4KB

📜background.js138B

🌐lockscreen.html217B

{}manifest.json2KB

🌐options.html448B

🌐popup.html595B

What This Extension Does

Focuspang Ai is a Chrome extension designed for students to provide screen locking and web control features, primarily intended for classroom management. It allows teachers to monitor student activity and restrict access to specific websites during class hours. The extension operates using Manifest V3 and requires broad permissions to function across all websites.

Permissions Explained

<all_urls>check this: This permission allows the extension to read and modify data on every website you visit, including your personal emails, banking sites, and social media profiles.
Technical: Grants access to chrome.webNavigation, chrome.tabs, and chrome.storage APIs across the entire web. If compromised, an attacker could harvest credentials from any site or inject malicious content into any page. ⚠ The stated purpose is 'web control' for specific educational sites. Accessing <all_urls> significantly exceeds the scope needed to lock screens on focuspang.com or manage tabs within a classroom context.
*://*.focuspang.com/*expected: Allows the extension to access and modify data specifically on Focuspang's own websites.
Technical: Enables content script injection into the developer's domains. Provides access to DOM elements, local storage, and cookies specific to these origins.
*://*.focuspang.ai/*expected: Allows the extension to access and modify data on Focuspang's AI-related subdomains.
Technical: Similar to the main domain permission, this grants full content script privileges over the AI service endpoints.
*://*.focuspangdownload.com/*expected: Allows the extension to access and modify data on Focuspang's download servers.
Technical: Grants read/write access to content served from this specific origin.
storageexpected: Lets the extension save and retrieve settings, user preferences, and data stored locally in your browser.
Technical: Accesses chrome.storage.sync and chrome.storage.local. Essential for persisting lock states and configuration but exposes local data if the extension is hijacked.
scriptingexpected: Allows the extension to run scripts on web pages you visit.
Technical: Enables content script injection. This is necessary for DOM manipulation (screen locking) but creates a vector for XSS if the injected code is not strictly sanitized.
managementcheck this: Allows the extension to install and uninstall other extensions or manage Chrome's internal settings.
Technical: Accesses chrome.management API. Rarely needed for a utility tool; usually indicates an enterprise management feature or potential privilege escalation risk if misused. ⚠ This permission is generally unnecessary for a student-focused screen lock tool unless it explicitly manages other educational tools.
tabsexpected: Lets the extension see and control all your open browser tabs.
Technical: Accesses chrome.tabs API to detect active windows, close tabs, or lock specific tab contents. Critical for the 'screen lock' feature but broad in scope.
notificationsexpected: Allows the extension to show pop-up alerts on your screen.
Technical: Accesses chrome.notifications API. Used for UI feedback or alerts when a lock is triggered.
activeTabcheck this: Allows the extension to interact only with the tab you are currently using.
Technical: A more restricted alternative to <all_urls>. However, since <all_urls> is already granted, this adds redundant capability. ⚠ Redundant given the presence of <all_urls>.

Your Data

The extension accesses content from your browser on all websites (due to <all_urls>) and sends data to Focuspang's servers, as well as third-party domains like Naver.com and Stack Overflow. While it likely does not capture keystrokes directly, the broad access means any page you visit while the extension is active could theoretically be monitored or modified.

Technical Details

Domains contacted: archive.focuspang.com, test.ktor.focuspang.com, naver.com, student.focuspang.com, stackoverflow.com. Protocols: HTTPS (implied by standard web practices). Data types potentially exposed: Page DOM content, local storage items, cookies from <all_urls> origins. Encryption: Standard TLS for network traffic; client-side data is stored in chrome.storage.

Code Findings

Excessive Permission ScopeHigh

The extension asks to see everything you do on the internet, not just the educational sites it claims to manage.

Technical: Manifest V3 permission '<all_urls>' combined with 'scripting' allows content scripts to run on any origin. This violates the principle of least privilege for a tool claiming to manage specific student portals.

Potential XSS Vectors via DOM ManipulationMedium

The code uses methods to inject HTML into web pages, which could be risky if not carefully controlled.

Technical: Analysis of code behavior shows usage of 'innerHTML', 'outerHTML', and 'insertAdjacentHTML'. These methods execute any JavaScript contained within the strings being injected. If the extension fetches user input or external data without sanitization, it creates a Cross-Site Scripting (XSS) vulnerability.

💡 Content scripts often need to modify the DOM to implement features like overlays or lock screens.

Code Obfuscation DetectedMedium

The extension uses techniques to hide its code, making it harder for users to understand what it is doing.

Technical: Detection of 'String.fromCharCode' and 'charCodeAt' usage patterns. These are common indicators of obfuscation used to bypass Content Security Policy (CSP) checks or hide malicious logic from static analysis.

💡 Developers sometimes obfuscate code to protect intellectual property or prevent casual inspection.

Dynamic Script LoadingHigh

The extension creates new scripts on the fly, which can be a way to load hidden functionality.

Technical: Code behavior analysis indicates 'Creates script elements dynamically'. This bypasses static CSP restrictions and allows the execution of code that was not present in the initial manifest or source files.

💡 Used for lazy loading features or updating logic without a full extension update.

Third-Party Network CallsInfo

The extension communicates with external sites like Naver and Stack Overflow.

Technical: Network activity logs show requests to 'naver.com' and 'stackoverflow.com'. These are not related to the core functionality of screen locking or web control.

💡 Could be for analytics, error reporting, or fetching external resources (e.g., fonts, icons).

Bottom Line

Focuspang Ai presents a moderate to high security risk due to its excessive use of the <all_urls> permission and dynamic script loading, which exceeds the needs of a simple screen-locking tool. While it functions as described for classroom management, the broad access allows potential monitoring of non-targeted sites and introduces XSS vulnerabilities through DOM manipulation. Users should exercise caution, especially if using this extension on sensitive accounts or outside of a strictly controlled educational environment.