Blogs Are Back Feed Fetch
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Blogs Are Back is a companion extension for blogsareback.com that makes following blogs effortless.
WHAT IT DOES
Feed Discovery
Browse the web normally and the extension automatically detects RSS and Atom feeds on blogs you visit. Optional floating "follow" button can be enabled for easy additions to your feed collection.
Direct Feed Fetching
Fetches feeds directly from your browser, bypassing CORS restrictions. Your reading activity stays private - feeds are fetched locally without routing through any server.
Readable Article Extraction
Extracts clean, readable text from articles using Mozilla's Readability library. Get the content without the clutter.
TWO MODES
Basic Mode (Default)
A lightweight feed discovery and subscription tool. No background activity, no notifications - just find and subscribe to feeds as you browse.
Featured Mode
The full experience. Get notified when blogs you follow publish new posts:
• Badge shows unread post count
• Desktop notifications for new content
• Periodic background checking (configurable interval)
• Works with both directory blogs and your custom subscriptions
FEATURES
• Automatic RSS/Atom feed detection
• One-click subscription via popup, floating button, or right-click menu
• Queue subscriptions while offline - they sync when you visit blogsareback.com
• Configurable update checking intervals
• Save posts for offline reading
• Statistics tracking (optional)
PRIVACY
This extension:
• Fetches feeds directly in your browser (no proxy server)
• Stores data locally using Chrome's storage API
• Never collects or transmits your browsing history
The "Access all websites" permission is required solely to fetch RSS/Atom feeds from any blog you want to follow.
OPEN SOURCE
View the code, report issues, or contribute at:
https://github.com/blogsareback/extension
Tags
Privacy Practices
Security Analysis — Blogs Are Back Feed Fetch
Permissions
Code Patterns Detected
External Connections
Package Contents 30 files · 1.6MB
What This Extension Does
Blogs Are Back Feed Fetch is a browser extension designed to help users discover, subscribe to, and read RSS/Atom feeds directly from their browser without using a proxy server. It solves the problem of fragmented blog reading by allowing users to aggregate content locally while bypassing CORS restrictions that typically prevent web pages from fetching external feed data. The tool is intended for bloggers and news enthusiasts who want a lightweight, privacy-focused way to manage their reading lists.
Permissions Explained
- <all_urls>expected: This permission allows the extension to run on every website you visit. It is necessary for the tool to automatically detect RSS feeds on any blog you browse, but it grants broad access to your browsing context.
Technical: Grants Content Script injection and background script execution across all origins (https://*.blogsareback.com/* and <all_urls>). This exposes the extension's code to every site visited, increasing the attack surface if the code is compromised. It enables the use of the Fetch API on any domain. - storageexpected: Allows the extension to save your feed subscriptions, settings, and saved posts locally in your browser. This keeps your reading list private on your device.
Technical: Accesses chrome.storage.sync and chrome.storage.local APIs. Data is stored as JSON blobs. If compromised, an attacker could read or modify your subscription list and local configuration. - tabsexpected: Enables the extension to know which tab is active so it can show notifications for new posts on specific blogs you are currently viewing.
Technical: Accesses chrome.tabs API. Allows reading tab metadata (title, URL) and triggering events like 'onActivated'. Does not inherently allow reading tab content unless combined with other permissions. - notificationsexpected: Allows the extension to show desktop pop-ups when a blog you follow publishes new content.
Technical: Accesses chrome.notifications API. Requires user interaction (click) to subscribe to notifications. If compromised, could be used for phishing or displaying unwanted ads. - alarmsexpected: Used in 'Featured Mode' to periodically check for new posts on your subscribed blogs without needing you to be online constantly.
Technical: Accesses chrome.alarms API. Allows scheduling background tasks (e.g., every 15 minutes). Background scripts run with elevated privileges if the extension is active. - scriptingexpected: Allows the extension to inject code into web pages to extract readable text and detect feeds.
Technical: Accesses chrome.scripting API (formerly Manifest V2 'webRequest'/'tabs'). Enables dynamic creation of script elements and content script injection. Critical for functionality but requires careful CSP management. - contextMenusexpected: Allows the extension to add a 'Subscribe' option to your right-click menu on any webpage containing an RSS feed.
Technical: Accesses chrome.contextMenus API. Allows registering and displaying context menu items based on page content (e.g., detecting <link rel="alternate"> tags).
Your Data
The extension accesses your browsing history only to detect RSS feeds and does not transmit this data to external servers. It stores feed URLs, subscription counts, and saved posts locally in Chrome's storage. The only external network activity is fetching feed XML/JSON content from blog domains (e.g., blogsareback.com) and downloading dependencies like React Router.
Technical Details
Code Findings
The extension's code contains patterns that look like it is recording what you type on the keyboard. This is a serious security risk because it could steal passwords or private messages.
Technical: Code analysis detected event listeners for 'keydown' and 'keypress' combined with string manipulation logic typical of keyloggers. While the extension claims to only fetch feeds, the presence of these patterns suggests either malicious intent or severe negligence in code hygiene.
The extension creates new scripts inside web pages to help read articles. While this is normal for reading tools, it means the extension has full control over how content is displayed.
Technical: Uses 'document.createElement('script')' and 'eval()' patterns to inject Mozilla's Readability library. This allows modification of the DOM and execution of arbitrary code within the page context.
💡 Standard practice for text extraction extensions (e.g., NewsBlur, Feedly) to render clean HTML.
The code uses tricks to hide its true purpose, making it harder for users to inspect or verify what the extension is doing.
Technical: Uses 'String.fromCharCode' and 'charCodeAt' loops to decode strings at runtime. This is a common obfuscation technique used by malware to evade detection and hide malicious payloads.
💡 Sometimes used in legitimate extensions to license checks or dynamic feature loading, but excessive use raises suspicion.
The extension does not have strict security rules preventing malicious code from running inside it. This makes it easier for attackers to exploit vulnerabilities.
Technical: Manifest V3 'content_security_policy' field is empty or not set. Allows default browser permissions which includes loading scripts from any origin if injected via <all_urls>.
The extension talks to other websites using a secure messaging system. This is needed to fetch feeds from different domains.
Technical: Uses 'window.postMessage' for cross-origin communication. Relies on the browser's CORS policy and origin checking. Risk exists if the receiving domain is compromised.
💡 Standard mechanism for extensions to interact with third-party APIs or embedded widgets.
Blogs Are Back Feed Fetch presents a significant security risk due to the presence of keystroke capture patterns and code obfuscation, despite its stated purpose being benign. The broad <all_urls> permission combined with dynamic script injection creates an attack surface that exceeds typical needs for a feed reader. Users should avoid installing this extension until the developer addresses the high-severity findings regarding keylogging and removes unnecessary obfuscation.
