Is Bitmoji safe to use?

Bitmoji has a risk level of CRITICAL with an overall risk score of 9.5/10. Our scan detected 38 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Bitmoji request?

Bitmoji requests the following permissions: storage, cookies, webNavigation. It also requests host access to: https://*.google.com/*, https://*.bitbucket.org/*, https://*.github.com/*, https://*.atlassian.net/*, https://*.bitmoji.com/*, https://*.snapchat.com/*, https://mail.google.com/*, https://bitbucket.org/*, *://*.bitmoji.com/*.

What is Bitmoji's risk score?

Bitmoji has an overall risk score of 9.5/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 5.0/10.

ExtSafe

BitmojiSecurity Analysis

Chromev11.0.0MV3February 16, 2026 at 03:10 PM

9.5CRITICAL

9.5 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 12 permissions including high-risk ones, 27 code findings, 1 dangerous combination.

Dangerous Combinations(1)

CRITICALCookie access + external network

Extension has cookie access and sends data to external servers — potential session token theft.

cookies+external network request

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

5.0/10

Permissions(12 analyzed)

Code Findings(17 patterns, 27 total)

Libraries(4 detected)

4 libraries detected

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(2 findings)

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

LOW

externally_connectableExternal messaging enabled

Extension accepts messages from 2 external pattern(s). Verify these are trusted origins.

External Domains(19)

${t.domainaccounts.snap-dev.netaccounts.snapchat.comapi.bitmoji.comauth.snapchat.combitmoji.api.snapchat.comd2u01fzxo4g5mf.cloudfront.netdevbox-api.bitmoji.comfb.megithub.commomentjs.comreactjs.orgsdk.bitmoji.comstaging-api.bitmoji.comstaging-render.bitstrips.comstaging-us-central1-gcp.api.snapchat.comtest.bitmoji.comus-central1-gcp.api.snapchat.comwww.bitmoji.com