夸克网盘-网页嗅探Security Analysis

Extension uses chrome.cookies.getAll for bulk cookie access and sends data to external servers — high risk of session token theft.

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

Extension communicates with native apps and executes dynamic code — potential sandbox escape vector.

Uses eval() to execute dynamic code, a common technique for obfuscation and code injection.

Creates functions from strings, similar to eval(), often used to hide malicious code.

Dynamically creates script elements, potentially loading external malicious code.

Dynamically sets a script's src attribute to load external code at runtime.

Accesses browser cookies programmatically, could be used to steal session tokens.

Uses eval() to execute dynamic code — a common vector for code injection.

Creates a function from a string (new Function()), similar to eval().

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

Sends messages via Chrome runtime, could communicate with external services.

Dynamically creates iframe elements, which can be used to load external content or hide malicious UI.

Modifies window.location to redirect the user, potentially to phishing or malicious pages.

Uses XMLHttpRequest to make network calls.

Line exceeds 5000 characters (entropy: 5.511411830184206)

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

Reads or writes to localStorage, which may contain sensitive site data.

Encodes data to base64, may be used for data exfiltration.