Chatgpt Batch Delete Hist
✨ AI-Powered 🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
ChatGPT Batch Delete History Manager
Tags
Privacy Practices
Security Analysis — Chatgpt Batch Delete Hist
Permissions
Code Patterns Detected
External Connections
Package Contents 31 files · 887KB
What This Extension Does
This extension helps users delete multiple ChatGPT conversation histories at once.
Permissions
- storageexpected: Lets the extension save and retrieve data locally on your computer, like settings or history records. A user might care because it could store sensitive information about their browsing habits.
- activeTabexpected: Allows the extension to see and interact with the currently active browser tab, including its URL and content. This is needed for interacting with ChatGPT pages but could be misused if not properly scoped.
Your Data
The extension may send data to external servers when deleting conversations, particularly through a domain called batch-delete-history-api.windchat.link. It could transmit information about your chats or usage patterns.
Code Findings
The extension uses a JavaScript command called 'eval' that can run code from strings. This is risky because it could allow attackers to inject harmful commands if the string comes from an untrusted source.
💡 Commonly used in development tools or debugging utilities where developers need dynamic evaluation, but should be avoided unless strictly necessary and securely implemented.
Trustworthiness
- Developer: No developer name is listed in the metadata. This lack of identification raises concerns about accountability and trustworthiness.
- Privacy Policy: No privacy policy was found, making it unclear how data collected by this extension is handled or whether any personal information is transmitted.
- Install Base: Installed by 2,000 users as of the latest update, suggesting moderate adoption but limited maintenance visibility.
This extension appears consistent with its purpose, but the presence of eval() usage means users should exercise caution when installing it. Ensure you trust the developer before enabling.
Extension Overview
This extension helps users delete multiple ChatGPT conversation histories at once.
Permissions
- storageexpected: Exposes access to Chrome's
chrome.storageAPI which allows reading/writing of persistent key-value pairs in local storage. An attacker with control over this extension could potentially read stored data such as conversation IDs or session tokens if they were saved there. - activeTabexpected: Grants access to
chrome.tabsAPI methods likequery()andexecuteScript(), enabling interaction with the current page's DOM or execution of scripts in context. If compromised, an attacker can manipulate content on active tabs including injecting malicious code into ChatGPT pages.
Data Exposure (Technical)
Communicates with the following domains: chatgpt.com (for injection), img.windchat.link (image hosting), github.com (possibly for updates), batch-delete-history-api.windchat.link (primary API endpoint), vitejs.dev, reactjs.org, lodash.com, underscorejs.org, npms.io, arkose-api.windchat.link. Data transmission includes potentially sensitive information like conversation IDs or metadata related to chat history deletion. No explicit encryption is mentioned; HTTP requests are made without clear indication of TLS enforcement.
Code Findings
Detected usage of eval() in content script or background logic, which allows dynamic execution of arbitrary JavaScript code based on runtime inputs. If input sources are not properly sanitized (e.g., fetched from remote APIs), this creates a potential vector for code injection attacks that could lead to full compromise of the extension environment.
💡 Commonly used in development tools or debugging utilities where developers need dynamic evaluation, but should be avoided unless strictly necessary and securely implemented.
Code Analysis
- Obfuscation: Standard minification observed; no heavy obfuscation techniques like control flow flattening or string encoding detected.
- Content Security Policy: Content Security Policy is not set in the manifest, meaning there are no restrictions on inline scripts or external resource loading. This increases risk of XSS and code injection vulnerabilities if content scripts interact with untrusted data.
- Architecture: Uses Manifest V3 architecture with background service worker and content script injection into ChatGPT domains (chatgpt.com, chat.openai.com, claude.ai/new). The extension does not appear to use MV2 features or manifest anomalies.
Transparency
- Developer: No developer name is listed in the metadata. This lack of identification raises concerns about accountability and trustworthiness.
- Privacy Policy: No privacy policy was found, making it unclear how data collected by this extension is handled or whether any personal information is transmitted.
- Code Visibility: Code appears to be bundled/minified with no public source code available for independent review. This limits transparency and auditability.
- Install Base: Installed by 2,000 users as of the latest update, suggesting moderate adoption but limited maintenance visibility.
The use of eval() in a browser extension context presents a high-severity risk due to potential for remote code execution if input is not strictly controlled. The lack of CSP and absence of a privacy policy further reduce confidence in data handling practices. Researchers should manually inspect the source code for sanitization logic around eval() usage, verify network traffic patterns against declared permissions, and confirm whether any sensitive data is being sent over insecure channels.
