Battletabs
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Engages you in bite-sized battles with friends and other players in a new tab, where you can collect ships, build your fleet, and unleash special attacks. Perfect for brief breaks between tasks, it offers intense multiplayer action and customizable gameplay. Suitable for anyone looking to add some fun and competition to their browsing experience.
Overview
💣 Battle your friends! Battles with viking ships in your browser new tab with your friends and other players. Collect new ships and build up your own fleet with special attacks to bring to battle!
Note: you can turn off the new tab mode in the settings if you want to keep your default new tab page.
⛵️ Features:
- Bite-sized gameplay, perfect for the Few Seconds you have to take a break in-between tasks
- Intense multiplayer action with unique ships and special abilities
- Build your own fleets with ships you've collected
- Play multiple matches at the same time
- Shows your Topsites and your Most visited websites on the new tab page, and shows a search bar on the new tab page for easy access
- To support the development on the game, we may show advertisements in the product. We will make sure they don't detract from the experience of the game!
💡 Latest updates: https://battletabs.io/news
Tags
Privacy Practices
Security Analysis — Battletabs
Permissions
Code Patterns Detected
External Connections
Package Contents 13 files · 1.9MB
What This Extension Does
Battletabs is a browser extension that transforms your New Tab page into a multiplayer Viking ship battle arena, allowing users to play quick games while viewing their most visited sites. It solves the problem of finding bite-sized entertainment during short breaks by integrating directly into the browser's home screen. The extension is designed for gamers and casual users who want an interactive experience without leaving their browsing session.
Permissions Explained
- storageexpected: This allows the extension to save your game progress, collected ships, settings, and high scores locally in your browser so you don't lose them when you close the tab.
Technical: Accesses chrome.storage.sync or chrome.storage.local APIs. Data is stored as JSON blobs encrypted by the browser. If compromised, an attacker could read local game state but typically cannot access other websites' data due to same-origin policy unless specific storage access APIs are abused. - notificationsexpected: This enables the extension to send you pop-up alerts for game events, such as when a friend challenges you or when a new ship is available.
Technical: Uses chrome.notifications.create API. Requires explicit user permission via a browser prompt. If compromised, an attacker could spam notifications to trick users into clicking malicious links (smishing/phishing), though the extension itself cannot read notification content from other apps. - topSitesexpected: This lets the extension read your list of most frequently visited websites to display them on the game screen alongside the search bar.
Technical: Accesses chrome.webNavigation.onCommitted or chrome.topSites API. This reads the history of visited URLs from the browser's internal database. It does not capture passwords or form data, but it reveals browsing habits and site frequency patterns.
Your Data
The extension communicates with its own servers (battletabs.io) to sync game state and advertisements. It also contacts third-party domains like GitHub, Reddit, Twitter, and YouTube, likely for analytics, asset loading, or social integration. All traffic appears to use standard HTTPS protocols.
Technical Details
Code Findings
The extension uses a common coding pattern that could theoretically allow malicious code to run if it loads untrusted content into the game interface. While unlikely in this specific context, it is a known security risk.
Technical: Code analysis reveals 'innerHTML' assignments without strict sanitization of user-generated content or dynamic assets. This creates an XSS vector where an attacker could inject scripts if they can control the content being rendered. The risk is mitigated by the fact that the extension does not appear to load arbitrary third-party scripts into the UI, but the pattern remains a vulnerability.
💡 innerHTML is frequently used in web development for dynamic DOM manipulation and rendering HTML strings from JSON data. It is standard practice unless strict Content Security Policy (CSP) headers are enforced.
The extension uses techniques to hide its code structure, making it harder for average users or automated scanners to read. While this protects intellectual property, it can also be used to hide malicious behavior.
Technical: Analysis detected 'String.fromCharCode' and 'charCodeAt' usage patterns typical of string obfuscation. This converts readable strings into arrays of character codes before execution. Additionally, the extension uses 'postMessage' for cross-origin communication, which is a standard but sometimes abused method for data exfiltration if not properly validated.
💡 Obfuscation is commonly used by developers to protect proprietary algorithms and game logic from reverse engineering. postMessage is essential for secure communication between different web contexts (e.g., popup windows or embedded iframes).
The extension connects to a wide variety of websites, including social media and tech platforms. This is mostly for loading game assets or analytics but increases the surface area for potential tracking.
Technical: Network logs show connections to www.apache.org, www.w3.org, github.com, yarnpkg.com, and various social media sites. These requests are likely for CDN asset delivery (images/fonts), dependency updates, or telemetry. The lack of a strict Content Security Policy (CSP) header allows these scripts to execute.
💡 Extensions often need to fetch external assets (images, fonts, sounds) from CDNs and communicate with analytics providers. Connecting to GitHub is common for fetching update manifests or dependency libraries.
Battletabs is a legitimate gaming extension that provides an entertaining experience but contains moderate security risks typical of browser games, primarily related to code obfuscation and potential XSS vectors. The permissions requested are fully aligned with the stated purpose of running a game on the New Tab page. Users should be aware that while the extension is not malicious, the use of obfuscated code makes it harder to audit for hidden behaviors. It is safe to use if you trust the developer, but avoid clicking any unexpected links within the game interface.
