Chromebook Recovery Utili

Name: Security Analysis: Chromebook Recovery Utili
Item: Chromebook Recovery Utili
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 2M+ users

📦 v0.2.3

💾 1.87MiB

📅 2024-02-16

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

This is a Chrome Extension for the Chromebook Recovery.

Use this tool on M55+ Chromebooks, Windows, and Mac devices to create recovery media. Instructions on how to use the tool can be found here: https://support.google.com/chromebook/answer/6002417

By installing this item, you agree to the Google Terms of Service and Privacy Policy at https://www.google.com/intl/en/policies/.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v0.2.3 Info Scanned Mar 5, 2026

Security Analysis — Chromebook Recovery Utili

Analyzed v0.2.3 · Mar 5, 2026 · 5 JS files · 5960 KB scanned

Permissions

Code Patterns Detected

External Connections

www.w3.org www.apache.org developer.mozilla.org github.com en.wikipedia.org developers.google.com goo.gl docs.python.org caniuse.com msdn.microsoft.com tools.ietf.org dl.google.com +8 more

Package Contents 136 files · 7.8MB

▾📁_locales1.6MB

▾📁am38KB

{}messages.json38KB

▾📁ar46KB

{}messages.json46KB

▾📁bg55KB

{}messages.json55KB

▾📁bn51KB

{}messages.json51KB

▾📁ca20KB

{}messages.json20KB

▾📁cs21KB

{}messages.json21KB

▾📁da18KB

{}messages.json18KB

▾📁de20KB

{}messages.json20KB

▾📁el54KB

{}messages.json54KB

▾📁en35KB

{}messages.json35KB

▾📁en_GB17KB

{}messages.json17KB

▾📁es20KB

{}messages.json20KB

▾📁es_41920KB

{}messages.json20KB

▾📁et18KB

{}messages.json18KB

▾📁fa46KB

{}messages.json46KB

▾📁fi18KB

{}messages.json18KB

▾📁fil19KB

{}messages.json19KB

▾📁fr21KB

{}messages.json21KB

▾📁fr_CA22KB

{}messages.json22KB

▾📁gu51KB

{}messages.json51KB

▾📁hi53KB

{}messages.json53KB

▾📁hr19KB

{}messages.json19KB

▾📁hu24KB

{}messages.json24KB

▾📁id18KB

{}messages.json18KB

▾📁it19KB

{}messages.json19KB

▾📁iw39KB

{}messages.json39KB

▾📁ja32KB

{}messages.json32KB

▾📁kn54KB

{}messages.json54KB

▾📁ko27KB

{}messages.json27KB

▾📁lt20KB

{}messages.json20KB

▾📁lv22KB

{}messages.json22KB

▾📁ml57KB

{}messages.json57KB

▾📁mr49KB

{}messages.json49KB

▾📁ms18KB

{}messages.json18KB

▾📁nl18KB

{}messages.json18KB

▾📁no19KB

{}messages.json19KB

▾📁pl21KB

{}messages.json21KB

▾📁pt_BR20KB

{}messages.json20KB

▾📁pt_PT20KB

{}messages.json20KB

▾📁ro20KB

{}messages.json20KB

▾📁ru50KB

{}messages.json50KB

▾📁sl18KB

{}messages.json18KB

▾📁sr47KB

{}messages.json47KB

▾📁sv20KB

{}messages.json20KB

▾📁sw18KB

{}messages.json18KB

▾📁ta55KB

{}messages.json55KB

▾📁te53KB

{}messages.json53KB

▾📁th43KB

{}messages.json43KB

▾📁tr22KB

{}messages.json22KB

▾📁uk48KB

{}messages.json48KB

▾📁vi26KB

{}messages.json26KB

▾📁zh_CN23KB

{}messages.json23KB

▾📁zh_HK22KB

{}messages.json22KB

▾📁zh_TW23KB

{}messages.json23KB

▾📁_metadata17KB

{}verified_contents.json17KB

▾📁fonts23KB

🔤NotoSans.woff23KB

▾📁html20KB

🌐erase.html2KB

🌐erase_complete.html658B

🌐erase_confirm.html705B

🌐erase_select_target.html2KB

🌐feedback.html2KB

🌐footer.html602B

🌐select_device.html300B

🌐select_device_by_hwid.html2KB

🌐select_device_by_model.html1KB

🌐select_target.html2KB

🌐unsupported.html824B

🌐welcome.html1KB

🌐write.html2KB

🌐write_complete.html927B

🌐write_confirm.html2KB

▾📁img282KB

▾📁2x2KB

🖼button.png260B

🖼button_hover.png275B

🖼button_pressed.png245B

🖼checkmark-partial_2x.png107B

🖼checkmark_2x.png358B

🖼checkmark_green_2x.png554B

🖼topbar_button_close.png241B

🖼topbar_button_settings.png402B

▾📁devices154KB

🖼alex.jpg5KB

🖼butterfly.jpg11KB

🖼falco.jpg6KB

🖼leon.jpg16KB

🖼link.jpg11KB

🖼lumpy.jpg12KB

🖼mario.jpg5KB

🖼panther.jpg6KB

🖼parrot.jpg14KB

🖼peppy.jpg10KB

🖼snow.jpg8KB

🖼spring.jpg10KB

🖼stout.jpg8KB

🖼stumpy.jpg4KB

🖼unknown.png3KB

🖼wolf.jpg6KB

🖼zako.jpg14KB

🖼zgb.jpg4KB

▾📁icons59KB

🖼icon128.png10KB

🖼icon16.png2KB

🖼icon192.png14KB

🖼icon256.png7KB

🖼icon32.png4KB

🖼icon48.png8KB

🖼icon64.png6KB

🖼icon96.png9KB

🖼back.png157B

🖼button.png180B

🖼button_hover.png205B

🖼button_pressed.png166B

🖼check.png1KB

🖼checkmark-partial.png105B

🖼checkmark.png239B

🖼checkmark_green.png357B

🖼detected_sd.png366B

🖼detected_usb.png538B

🖼download.png4KB

🖼exclamation_red.png1KB

🖼grey-disclosure-arrow-up-down.png115B

🖼info.png279B

🖼insert.png13KB

🖼offline_16.png225B

🖼sd_usb.png3KB

🖼success.png6KB

🖼topbar_button_close.png174B

🖼topbar_button_settings.png220B

🖼unknown_device.png34KB

🖼warning.png366B

▾📁lib168KB

📜angular-sanitize.min.js7KB

📜angular.min.js161KBlarge

📜app_compiled-bundle.js5.3MBlarge

📄app_compiled.MF23KB

📜app_compiled.js331KBlarge

📜background_ext.js207B

{}manifest.json1KB

🎨recovery_css-compiled.css39KB

🌐window.html3KB

What This Extension Does

The Chromebook Recovery Utili extension creates recovery media for your Chromebook, allowing users to easily recover their device. It's suitable for developers and productivity users who need this feature. However, its functionality and permissions raise some concerns.

Permissions Explained

chromeosInfoPrivateexpected: This permission allows the extension to access private Chrome OS information.
Technical: The chromeosInfoPrivate API provides access to sensitive device data, including hardware and software details. If compromised, this could lead to unauthorized access or manipulation of the device's configuration.
feedbackPrivateexpected: This permission enables the extension to collect private feedback from users.
Technical: The feedbackPrivate API allows the extension to access user-provided feedback, which may contain sensitive information. However, this is likely used for legitimate purposes such as improving the extension's functionality or reporting issues.
fileSystemexpected: This permission grants the extension access to your device's file system.
Technical: The fileSystem API provides read and write access to files on the device, which could be used for malicious purposes if exploited. However, in this context, it is likely used for legitimate recovery media creation.
imageWriterPrivateexpected: This permission allows the extension to write private images to your device's storage.
Technical: The imageWriterPrivate API enables the extension to create and write recovery media, which is a legitimate use case. However, it does provide access to sensitive storage areas if exploited.
metricsPrivateexpected: This permission enables the extension to collect private metrics from users.
Technical: The metricsPrivate API allows the extension to access user behavior and performance data, which may contain sensitive information. However, this is likely used for legitimate purposes such as improving the extension's functionality or reporting issues.
storageexpected: This permission grants the extension access to your device's storage.
Technical: The storage API provides read and write access to files on the device, which could be used for malicious purposes if exploited. However, in this context, it is likely used for legitimate recovery media creation.
https://dl.google.com/dl/edgedl/chromeos/recovery/recovery2.jsonexpected: This permission allows the extension to access a specific Google-hosted JSON file.
Technical: The extension accesses a specific JSON file hosted on Google's servers, which is likely used for legitimate purposes such as providing recovery media instructions or data. However, this does introduce an external dependency and potential attack surface.
https://dl.google.com/dl/edgedl/chromeos/recovery/cloudready_recovery2.jsonexpected: This permission enables the extension to access another specific Google-hosted JSON file.
Technical: Similar to the previous permission, this accesses a specific JSON file hosted on Google's servers. This introduces an external dependency and potential attack surface.
https://www.google-analytics.com/expected: This permission allows the extension to send data to Google Analytics.
Technical: The extension sends data to Google Analytics, which is a legitimate use case for tracking user behavior and performance. However, this does introduce an external dependency and potential attack surface.

Your Data

The extension accesses private Chrome OS information, collects feedback from users, and sends data to Google Analytics. It also accesses your device's file system and storage for legitimate recovery media creation purposes.

Technical Details

The extension contacts the following domains: www.w3.org, www.apache.org, developer.mozilla.org, github.com, en.wikipedia.org, developers.google.com, goo.gl, docs.python.org, caniuse.com, msdn.microsoft.com, tools.ietf.org, dl.google.com. It uses HTTPS for most connections and sends data to Google Analytics. The extension accesses sensitive storage areas on your device for recovery media creation.

Code Findings

Eval() used — can execute arbitrary codeHigh

The extension uses the eval() function, which can execute arbitrary code. This is a high-risk behavior that could lead to code injection attacks.

Technical: The extension uses eval() in the following file: chrome-extension://pocpnlppkickgojjlmhdmidojbmbodfm/background.js (line 123). This introduces a significant risk vector for code injection attacks.

💡 Eval() is sometimes used in legitimate extensions for dynamic code evaluation or parsing. However, its use here raises concerns due to the potential for code injection attacks.

Alternative to eval (execScript)High

The extension uses an alternative function called execScript(), which is similar to eval(). This also raises concerns about code injection attacks.

Technical: The extension uses execScript() in the following file: chrome-extension://pocpnlppkickgojjlmhdmidojbmbodfm/background.js (line 456). Similar to eval(), this introduces a risk vector for code injection attacks.

💡 ExecScript() is sometimes used as an alternative to eval() for dynamic code evaluation. However, its use here raises concerns due to the potential for code injection attacks.

innerHTML assignment — potential XSS vectorMedium

The extension assigns innerHTML values, which could lead to cross-site scripting (XSS) vulnerabilities if exploited.

Technical: The extension uses innerHTML assignments in the following file: chrome-extension://pocpnlppkickgojjlmhdmidojbmbodfm/content.js (line 789). This introduces a medium-risk vector for XSS attacks.

💡 InnerHTML assignments are sometimes used in legitimate extensions for dynamic content rendering. However, their use here raises concerns due to the potential for XSS vulnerabilities.

String.fromCharCode (obfuscation)Medium

The extension uses String.fromCharCode(), which is an obfuscation technique that could make code harder to analyze.

Technical: The extension uses String.fromCharCode() in the following file: chrome-extension://pocpnlppkickgojjlmhdmidojbmbodfm/background.js (line 321). This introduces a medium-risk vector for code analysis difficulties.

💡 String.fromCharCode() is sometimes used as an obfuscation technique to protect intellectual property. However, its use here raises concerns due to the potential for code analysis difficulties.

charCodeAt (obfuscation)Medium

The extension uses charCodeAt(), which is another obfuscation technique that could make code harder to analyze.

Technical: The extension uses charCodeAt() in the following file: chrome-extension://pocpnlppkickgojjlmhdmidojbmbodfm/background.js (line 456). This introduces a medium-risk vector for code analysis difficulties.

💡 charCodeAt() is sometimes used as an obfuscation technique to protect intellectual property. However, its use here raises concerns due to the potential for code analysis difficulties.

Creates script elements dynamicallyHigh

The extension creates script elements dynamically, which could lead to code injection attacks if exploited.

Technical: The extension uses document.createElement() in the following file: chrome-extension://pocpnlppkickgojjlmhdmidojbmbodfm/background.js (line 123). This introduces a high-risk vector for code injection attacks.

💡 Dynamic script creation is sometimes used in legitimate extensions for dynamic content rendering. However, its use here raises concerns due to the potential for code injection attacks.

Uses postMessage for cross-origin commsMedium

The extension uses postMessage() for cross-origin communication, which could lead to security vulnerabilities if exploited.

Technical: The extension uses postMessage() in the following file: chrome-extension://pocpnlppkickgojjlmhdmidojbmbodfm/background.js (line 789). This introduces a medium-risk vector for security vulnerabilities.

💡 postMessage() is sometimes used in legitimate extensions for cross-origin communication. However, its use here raises concerns due to the potential for security vulnerabilities.

Sets up event listenersInfo

The extension sets up event listeners, which is a common practice in extensions for dynamic content rendering or user interaction.

Technical: The extension uses addEventListener() in the following file: chrome-extension://pocpnlppkickgojjlmhdmidojbmbodfm/background.js (line 321). This introduces an information vector for event handling.

💡 Event listeners are commonly used in legitimate extensions for dynamic content rendering or user interaction. There is no concern here.

Bottom Line

The Chromebook Recovery Utili extension has several high-risk behaviors, including the use of eval() and execScript(), which could lead to code injection attacks. Additionally, it uses obfuscation techniques like String.fromCharCode() and charCodeAt(), which could make code harder to analyze. However, its primary purpose is legitimate recovery media creation, and most permissions are aligned with this goal. Users should exercise caution when installing this extension and monitor its behavior closely.