ExtSafe

Bitwarden Password ManagerSecurity Analysis

Chromev2026.2.0MV3March 24, 2026 at 03:43 AM
Use with caution

This extension requests significant permissions. It has 6M+ users, a 4.6 star rating, is published by Bitwarden Inc., but review the findings below.

4.7MEDIUM
4.7 MEDIUMRaw: 7.2

This extension shows some risk signals that are common in legitimate extensions but worth reviewing. Check the details below.

Based on 21 permissions including high-risk ones, 167 code findings, 4 dangerous combinations.

Trust Signals(6.5/10)

Users
6.0M
Rating
4.6(8K reviews)
Developer
Bitwarden Inc.
Status
Featured

Dangerous Combinations(4)

MEDIUMTab tracking API + external communication

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

tabs+tabs API usage + external network
CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request
CRITICALClipboard read + external communication

Extension reads clipboard and communicates externally — potential credential or crypto address theft.

clipboardRead+external network request
CRITICALNative messaging + dynamic code execution

Extension communicates with native apps and executes dynamic code — potential sandbox escape vector.

nativeMessaging+eval/Function/dynamic code
Permissions
9.5/10
Code
4.0/10
Combinations
10.0/10
Manifest/CSP
6.5/10

Permissions(21 analyzed)

Code Findings(29 patterns, 167 total)

Libraries(5 detected)

5 libraries detected

Content Security Policy

CSP Present(1 issue)
LOW
object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(4 findings)

Resolved from __MSG_* i18n placeholders:

Name: Bitwarden Password Manager

Description: At home, at work, or on the go, Bitwarden easily secures all your passwords, passkeys, and sensitive information

HIGH
web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM
web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

MEDIUM
content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

HIGH
content_scriptsAggressive content script injection

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

External Domains(44)

${globalthis.location.hostname${t${url127.0.0.1aaka.msangular.devangular.ioapi.fastmail.comapi.forwardemail.netapp.addy.ioapp.simplelogin.iobbitwarden.atlassian.netbitwarden.combugs.chromium.orgbugs.webkit.orgbugzilla.mozilla.orgccode.google.comen.wikipedia.orgesbench.comfeross.orgfoo.comfregante.comgist.github.comgithub.comissues.chromium.orglearn.microsoft.commathiasbynens.bemothereff.inpolymer.github.ioquack.duckduckgo.comrelay.firefox.comrxjs.devstackoverflow.comstuk.github.iotc39.estools.ietf.orgwww.apache.orgwww.example.comwww.fastmail.comxxn--e1aybc

Indicators of Compromise

146 indicators of compromise found

File Statistics

200
Total Files
26
JS Files
57.6 MB
Total Size

Other Scanned Extensions

Obsidian Web Clipper
4.8 MEDIUM
ProKeys
5.2 MEDIUM
Save Image As...
3.7 MEDIUM
Image downloader - Imageye
4.2 MEDIUM
uBlock Origin Lite
5.7 MEDIUM
Stream Cleaner
4.3 MEDIUM