Is FastSave safe to use?

FastSave has a risk level of HIGH with an overall risk score of 6.6/10. Our scan detected 45 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does FastSave request?

FastSave requests the following permissions: storage, cookies, webRequest, downloads, tabs, system.display, declarativeNetRequest, scripting. It also requests host access to: , *://*.instagram.com/*, *://*.spector.net/*.

What is FastSave's risk score?

FastSave has an overall risk score of 6.6/10 (HIGH). Breakdown: Permissions 8.5/10, Code 7.6/10, Combinations 10.0/10, CSP 7.0/10.

ExtSafe

FastSaveSecurity Analysis

Chromev3.8.3MV3February 18, 2026 at 11:54 AM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

6.6HIGH

6.6 HIGHRaw: 8.3

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 11 permissions including high-risk ones, 36 code findings, 3 dangerous combinations.

Trust Signals(4.0/10)

Users

100K

Rating

4.9(335 reviews)

Dangerous Combinations(3)

CRITICALBulk cookie access + external network

Extension uses chrome.cookies.getAll for bulk cookie access and sends data to external servers — high risk of session token theft.

cookies+chrome.cookies.getAll + external network

MEDIUMTab tracking API + external communication

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

tabs+tabs API usage + external network

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

Permissions

8.5/10

Code

7.6/10

Combinations

10.0/10

Manifest/CSP

7.0/10

Permissions(11 analyzed)

Code Findings(18 patterns, 36 total)

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(4 findings)

Resolved from __MSG_* i18n placeholders:

Name: FastSave

Description: Repost Instagram stories, save video, photo and Reels. Browse Instagram site like a mobile app.

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

HIGH

content_scriptsAggressive content script injection

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

HIGH

content_scriptsAggressive content script injection

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

External Domains(5)

*.instagram.comreact.devspector.netstuk.github.iowww.instagram.com

Indicators of Compromise

17 indicators of compromise found

File Statistics

Total Files

JS Files

1.7 MB

Total Size

Other Scanned Extensions

1Password – Password Manager

7.4 HIGH

WebP / Avif image converter

6.3 HIGH

1Password – Password Manager

7.4 HIGH

AI Exporter: Save ChatGPT, Gemini to PDF, Word, MD and Notion

6.6 HIGH