Ace Script
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Lets you automate repetitive tasks and interact with web pages in a more dynamic way by allowing your browser to execute custom scripts. Popular among developers and power users, Ace Script enables users to tap into the full potential of their browser's capabilities. Most beneficial for those who need to automate complex workflows or customize their browsing experience.
Overview
Provide userscript support for browsers.
Ace Script provides userscripts support for browsers. It works on browsers with WebExtensions support. It supports most scripts for Greasemonkey and Tampermonkey, and also allows you to create scripts with the ability to easily integrate the functionality of the Ace Stream software (www.acestream.org).
Features:
- Update automatically according to the meta data.
- Scripts will be executed in order as shown in the list.
- GM functions are supported.
- Support import from and export to a zip file.
- Support integration with Ace Stream software
Privacy policy:
https://acescript.acestream.me/privacy/
Tags
Privacy Practices
Security Analysis — Ace Script
Permissions
Code Patterns Detected
External Connections
Package Contents 168 files · 17.5MB
What This Extension Does
Ace Script is a browser extension that provides userscript support for browsers, allowing users to create scripts with various functionalities. It aims to provide an alternative to Greasemonkey and Tampermonkey. This extension is suitable for power users who want to customize their browsing experience.
Permissions Explained
- tabsexpected: This permission allows the extension to access and interact with browser tabs.
Technical: The extension can read and modify tab metadata, including URLs, titles, and content. This could potentially allow unauthorized data exfiltration or manipulation of user browsing history. - alarmsexpected: This permission allows the extension to schedule and manage alarms for specific events.
Technical: The extension can create, read, and delete alarms using Chrome's alarm API. This could potentially allow unauthorized scheduling of tasks or manipulation of user notifications. - storageexpected: This permission allows the extension to store and retrieve data locally on the device.
Technical: The extension can read, write, and delete browser storage using Chrome's storage API. This could potentially allow unauthorized access or modification of user data. - cookiesexpected: This permission allows the extension to read and modify cookies stored by websites.
Technical: The extension can read, write, and delete cookies using Chrome's cookie API. This could potentially allow unauthorized access or modification of user session data. ⚠ 1 - offscreenexpected: This permission allows the extension to create and manage off-screen browser windows.
Technical: The extension can create, read, and delete off-screen windows using Chrome's window API. This could potentially allow unauthorized access or manipulation of user browsing history. - scriptingexpected: This permission allows the extension to execute scripts in the context of web pages.
Technical: The extension can inject and execute scripts using Chrome's content script API. This could potentially allow unauthorized execution of malicious code or manipulation of user browsing experience. - downloadsexpected: This permission allows the extension to manage downloads initiated by web pages.
Technical: The extension can read, write, and delete download metadata using Chrome's download API. This could potentially allow unauthorized access or modification of user file downloads. - activeTabexpected: This permission allows the extension to read and modify the currently active tab.
Technical: The extension can read, write, and delete tab metadata using Chrome's tab API. This could potentially allow unauthorized access or modification of user browsing history. - webRequestexpected: This permission allows the extension to intercept and modify web requests made by web pages.
Technical: The extension can read, write, and delete web request metadata using Chrome's webRequest API. This could potentially allow unauthorized access or modification of user browsing history. ⚠ 1 - userScriptsexpected: This permission allows the extension to execute userscripts in the context of web pages.
Technical: The extension can inject and execute userscripts using Chrome's content script API. This could potentially allow unauthorized execution of malicious code or manipulation of user browsing experience. - contextMenusexpected: This permission allows the extension to create and manage context menus for web pages.
Technical: The extension can read, write, and delete context menu metadata using Chrome's context menu API. This could potentially allow unauthorized access or modification of user browsing experience. - notificationsexpected: This permission allows the extension to display notifications to the user.
Technical: The extension can read, write, and delete notification metadata using Chrome's notification API. This could potentially allow unauthorized access or modification of user notifications. - clipboardWriteexpected: This permission allows the extension to write data to the clipboard.
Technical: The extension can read and write clipboard content using Chrome's clipboard API. This could potentially allow unauthorized access or modification of user clipboard data. - unlimitedStorageexpected: This permission allows the extension to store an unlimited amount of data locally on the device.
Technical: The extension can read, write, and delete browser storage using Chrome's storage API. This could potentially allow unauthorized access or modification of user data. - declarativeNetRequestexpected: This permission allows the extension to intercept and modify web requests made by web pages using a declarative API.
Technical: The extension can read, write, and delete web request metadata using Chrome's declarative net request API. This could potentially allow unauthorized access or modification of user browsing history. - <all_urls>check this: This permission allows the extension to access and modify all web pages, including those loaded in incognito mode.
Technical: The extension can read, write, and delete metadata for all web pages using Chrome's tab API. This could potentially allow unauthorized access or modification of user browsing history, even in incognito mode. ⚠ 1
Your Data
The extension accesses and stores data locally on the device using browser storage. It also sends data to various domains, including acescript.acestream.me, developer.mozilla.org, and www.googleapis.com.
Technical Details
Code Findings
The extension uses the execScript function instead of eval, which is a safer alternative for executing scripts.
Technical: The extension injects and executes scripts using Chrome's content script API. The execScript function is used to execute scripts in the context of web pages.
💡 This pattern is commonly used in legitimate extensions to provide userscript support.
The extension assigns innerHTML values, which could potentially allow cross-site scripting (XSS) attacks if not properly sanitized.
Technical: The extension uses the innerHTML property to assign values to HTML elements. This could potentially allow XSS attacks if user input is not properly sanitized.
💡 This pattern is commonly used in legitimate extensions to provide userscript support.
The extension uses the String.fromCharCode function, which could be used for obfuscating code.
Technical: The extension injects and executes scripts using Chrome's content script API. The String.fromCharCode function is used to create strings from character codes.
💡 This pattern is commonly used in legitimate extensions to provide userscript support.
The extension makes XHR requests to various domains, including acescript.acestream.me and developer.mozilla.org.
Technical: The extension uses the Fetch API to make requests to other domains, including scriptcat.org and example.com.
💡 This pattern is commonly used in legitimate extensions to provide userscript support.
The extension captures keystrokes, which could potentially allow unauthorized access or modification of user data.
Technical: The extension uses the keyboard API to capture keystrokes. This could potentially allow unauthorized access or modification of user data.
💡 This pattern is not commonly used in legitimate extensions.
The extension has broad host permissions, which could potentially allow unauthorized access or modification of user data.
Technical: The extension has the <all_urls> permission, which allows it to access and modify all web pages, including those loaded in incognito mode.
💡 This pattern is not commonly used in legitimate extensions.
Based on our analysis, we recommend that users exercise caution when installing the Ace Script extension. While it provides useful features for power users, its broad host permissions and potential XSS vectors raise concerns about user data security.
