Is EditThisCookie (V3) safe?

Analysis summary

This extension, EditThisCookie (V3), is a cookie management tool designed to give users control over their browser cookies. It is rated Medium risk due to its broad host permissions and sensitive data access capabilities, which could potentially be exploited for data exposure.

Key insights:

Intended for managing browser cookies, allowing users to add, delete, edit, and protect cookies for privacy and convenience.
Rated Medium due to broad host permissions (<all_urls>) and access to sensitive cookie data, which could lead to data exposure and privacy risks.
Utilizes APIs like chrome.cookies and chrome.tabs to manage cookies and interact with browser tabs, aligning with its declared functionality.
The extension's broad permissions and ability to interact with all websites exceed its core purpose, increasing the risk of cross-site surveillance and credential harvesting.
The transfer of ownership to a different publisher raises concerns about trustworthiness and potential changes in operational standards.

Findings

Transfer of Ownership

Flag items where ownership has been transferred to a different publisher, which may indicate compromise or changes in trustworthiness.

medium

Broad Host Permissions

Flags items that declare overly broad host access patterns, enabling interaction with all websites. This level of access can be exploited to inject scripts into trusted sites and increases the risk of sensitive data exposure, cross-site surveillance, and credential harvesting.

medium

Identity & Authentication Permissions

Flags items that request access to user identity or authentication flows. These capabilities may expose session credentials or login behavior, increasing the risk of impersonation, session hijacking, or unauthorized account access.

medium

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

This Chrome extension, EditThisCookie, is a cookie manager that allows users to add, delete, edit, search, protect, and block cookies. Its primary intention is to provide users with control over browser cookies for privacy and convenience.

Key Functionalities:

Uses the Chrome Extension APIs (chrome.cookies, chrome.tabs, chrome.contextMenus, chrome.runtime, etc.) to manage cookies and UI elements.
Listens for context menu clicks to show a popup for cookie management.
Handles communication with a devtools page for advanced cookie operations.
On installation or first run, opens a welcome page at https://editcookie.com/#start.
Periodically changes the extension icon based on the date (e.g., Christmas theme).
Implements logic to protect certain cookies from deletion and to block or shorten the lifespan of cookies based on user preferences.

API Calls:

Uses chrome.cookies.getAll, chrome.cookies.set, chrome.cookies.remove, and listens to chrome.cookies.onChanged for cookie management.
Uses chrome.tabs.create, chrome.tabs.update, and chrome.tabs.query for tab management.
Uses chrome.contextMenus to add/remove context menu items.
Uses chrome.runtime.onConnect, chrome.runtime.onInstalled, and chrome.runtime.getManifest for extension lifecycle events.

Network Activity:

The only external network activity is opening a tab to https://editcookie.com/#start on first run.

Filesystem Activity:

No direct filesystem access is present (as expected for a Chrome extension).

Other Security-Relevant Behaviors:

No evidence of code execution, shell command execution, PowerShell usage, privilege escalation, persistence mechanisms beyond normal extension behavior, Windows Registry access, file or user creation, or clipboard access.
No obfuscation is present; code is readable and straightforward.

Potentially Sensitive Code Example:

chrome.tabs.create({ url: 'https://editcookie.com/#start' });

This line opens the extension's website on first run, which is a common and benign behavior for Chrome extensions.

No strong indicators of malicious activity were observed.

Permissions

high

api

Permits reading and modifying browser cookies, which can contain sensitive information including login session data and site preferences.

medium

clipboardWrite

api

Lets the extension cut and copy items to the clipboard using the web platform Clipboard API.

low

contextMenus

api

Allows adding items to browser context menus, potentially intercepting user right-click interactions.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

API CALLS ARE AVAILABLE FOR ENTERPRISE USERS

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

SECRETS ARE AVAILABLE FOR ENTERPRISE USERS

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

GHSA-gxr4-xjj5-5px2

Potential XSS vulnerability in jQuery

CVSS:

6.9

GHSA-jpcq-cgw6-v4j6

Potential XSS vulnerability in jQuery

CVSS:

6.9

GHSA-9gj3-hwp5-pmwc

XSS in the `altField` option of the Datepicker widget in jquery-ui

CVSS:

6.5

All vulnerabilities are available for Enterprise users

External communication

Any identifiers we detected that may indicate external communication from the item's code

https://editcookie.com/#start

js/background.js

https://editcookie.com/#start

js/background.js

http://curl.haxx.se/rfc/cookie_spec.html

js/cookie_helpers.js

All external communications are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

jquery

Version:

3.3.1

jquery-ui

Version:

1.12.1

All dependencies are available for Enterprise users

Licenses & Compliance

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

LICENSES & COMPLIANCE ARE AVAILABLE FOR ENTERPRISE USERS