Is Rakuten: Get Cash Back For Shopping safe to use?

Rakuten: Get Cash Back For Shopping has a risk level of CRITICAL with an overall risk score of 9.7/10. Our scan detected 101 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Rakuten: Get Cash Back For Shopping request?

Rakuten: Get Cash Back For Shopping requests the following permissions: tabs, webNavigation, webRequest, storage, cookies, alarms, scripting, notifications. It also requests host access to: , https://*.rakuten.com/*, https://*.rakuten.co.uk/*.

What is Rakuten: Get Cash Back For Shopping's risk score?

Rakuten: Get Cash Back For Shopping has an overall risk score of 9.7/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 6.7/10.

ExtSafe

Rakuten: Get Cash Back For ShoppingSecurity Analysis

Chromev26.2.0MV3February 16, 2026 at 03:27 PM

9.7CRITICAL

9.7 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 11 permissions including high-risk ones, 93 code findings, 4 dangerous combinations.

Dangerous Combinations(4)

CRITICALCookie access + external network

Extension has cookie access and sends data to external servers — potential session token theft.

cookies+external network request

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

6.7/10

Permissions(11 analyzed)

Code Findings(23 patterns, 93 total)

Libraries(2 detected)

2 libraries detected

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(2 findings)

Resolved from __MSG_* i18n placeholders:

Name: Rakuten: Get Cash Back For Shopping

Description: Activate & earn Cash Back directly on store sites. We do all the work. You just shop and save. Earn Cash Back at 3,500 stores today!

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

External Domains(47)

${e${e.domain${kn.$.get(${p.product_cdn${t${t.domain${t.domainnameaddons.mozilla.orgapi.engager.ecbsn.co.ukapi.engager.ecbsn.comapi.fillr.comapi.groupon.comapi.rakuten.co.ukapi.rakuten.comapi.segment.ioaxios-http.combit.lybrowser-intake-datadoghq.combutton.rrcbsn.comcapture.ecbsn.comcapture.fillr-tech.comcas.rrcbsn.comchromewebstore.google.comevents.engager.ecbsn.comfb.meffconf.ecbsn.comgithub.comitunes.apple.commicrosoftedge.microsoft.compreview-www.rakuten.comproduct-image.ebates.com${arakutenrewards.atlassian.netreactjs.orgschema.orgsearch.ecbsn.co.uksearch.ecbsn.comstatic.rakuten.co.ukstatic.rakuten.comticketmaster.comtwitter.comwww.asos.comwww.ebay.comwww.facebook.comwww.i18next.comwww.rakuten.co.ukwww.rakuten.comwww.verishop.com