Endpoint Verification

Name: Security Analysis: Endpoint Verification
Item: Endpoint Verification
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 7M+ users

📦 v1.139.0

💾 1.31MiB

📅 2026-02-09

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

By installing this item, you agree to the Google Terms of Service and Privacy Policy at https://www.google.com/intl/en/policies/.

For more information: https://support.google.com/a/users/answer/9018161

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

🔄 New version v1.139.0 detected — scan automatically queued.

v1.140.0 Info Scanned Mar 7, 2026

Security Analysis — Endpoint Verification

Analyzed v1.140.0 · Mar 7, 2026 · 6 JS files · 2097 KB scanned

Permissions

Code Patterns Detected

External Connections

momentjs.com support.google.com www.apache.org dl.google.com accounts.google.com secureconnect-pa.mtls.clients6.google.com play.google.com opensource.org paulirish.com my.opera.com www.google.com secureconnect-pa.corp.google.com +3 more

Package Contents 38 files · 2.9MB

▾📁_locales8KB

▾📁en8KB

{}messages.json8KB

▾📁css644KB

▾📁material_icons127KB

🔤MaterialIcons-Regular.woff2127KB

🎨material_icons.css536B

▾📁roboto517KB

🔤Roboto-Black.woff264KB

🔤Roboto-Bold.woff263KB

🔤Roboto-BoldItalic.woff269KB

🔤Roboto-Italic.woff269KB

🔤Roboto-Light.woff263KB

🔤Roboto-Medium.woff264KB

🔤Roboto-Regular.woff263KB

🔤Roboto-Thin.woff261KB

🎨roboto.css1KB

▾📁googlelogo3KB

▾📁2x3KB

🖼googlelogo_color_84x28dp.png3KB

🌐background.html139B

📜background_service_worker.js1.9MBlarge

🖼icon_128_normal.png2KB

🖼icon_19_normal.png383B

🖼icon_19_severe.png631B

🖼icon_19_warning.png618B

🖼icon_38_normal.png654B

🖼icon_38_severe.png1KB

🖼icon_38_warning.png1KB

🖼icon_512_normal.png10KB

🌐iframe_sandbox.html3KB

🎨log.css155B

🌐log.html1KB

📜log_script.js26KB

{}manifest.json1KB

🎨material_design_lite.css149KB

📜mdl_all_js_compiled.js62KBlarge

🌐offscreen.html109B

📜offscreen_script.js24KB

🎨options.css432B

🌐options.html2KB

📜options_script.js32KB

🎨popup.css3KB

🌐popup.html5KB

📜popup_script.js26KB

What This Extension Does

The Endpoint Verification extension allows Google Workspace administrators to view laptop and desktop status, including OS, device, and user information. It's designed for productivity and workflow management. With over 7 million users, it's a popular choice among administrators.

Permissions Explained

cookiesexpected: This permission allows the extension to read cookies from your browser.
Technical: The extension can access cookies using the chrome.cookies API, which grants access to all cookies on the domain. This could potentially allow unauthorized access to sensitive data if compromised.
idleexpected: This permission allows the extension to monitor your device's idle state.
Technical: The extension can use the chrome.idle API to detect when you're away from your device, which could be used for tracking or monitoring purposes if compromised.
nativeMessagingcheck this: This permission allows the extension to communicate with native applications on your device.
Technical: The extension can use native messaging to exchange data between Chrome and native apps, which could potentially allow unauthorized access to sensitive data if compromised. This is a CRITICAL risk due to its potential for lateral movement. ⚠ 1
storageexpected: This permission allows the extension to store data locally on your device.
Technical: The extension can use the chrome.storage API to store and retrieve data, which could potentially allow unauthorized access to sensitive data if compromised. This is a MEDIUM risk due to its potential for data exposure.
alarmsexpected: This permission allows the extension to schedule alarms and notifications on your device.
Technical: The extension can use the chrome.alarms API to schedule events, which could potentially allow unauthorized access to sensitive data if compromised. This is a MEDIUM risk due to its potential for data exposure.
enterprise.deviceAttributesexpected: This permission allows the extension to access device attributes, such as OS and device information.
Technical: The extension can use the chrome.enterprise.deviceAttributes API to access device metadata, which could potentially allow unauthorized access to sensitive data if compromised. This is a MEDIUM risk due to its potential for data exposure.
enterprise.platformKeysexpected: This permission allows the extension to access platform keys, which are used for encryption and decryption.
Technical: The extension can use the chrome.enterprise.platformKeys API to access platform keys, which could potentially allow unauthorized access to sensitive data if compromised. This is a MEDIUM risk due to its potential for data exposure.
gcmexpected: This permission allows the extension to use Google Cloud Messaging (GCM) services.
Technical: The extension can use GCM to send and receive messages, which could potentially allow unauthorized access to sensitive data if compromised. This is a MEDIUM risk due to its potential for data exposure.
identityexpected: This permission allows the extension to access user identity information, such as email addresses and profiles.
Technical: The extension can use the chrome.identity API to access user metadata, which could potentially allow unauthorized access to sensitive data if compromised. This is a MEDIUM risk due to its potential for data exposure.
identity.emailexpected: This permission allows the extension to access user email addresses.
Technical: The extension can use the chrome.identity API to access user email addresses, which could potentially allow unauthorized access to sensitive data if compromised. This is a MEDIUM risk due to its potential for data exposure.
platformKeysexpected: This permission allows the extension to access platform keys, which are used for encryption and decryption.
Technical: The extension can use the chrome.platformKeys API to access platform keys, which could potentially allow unauthorized access to sensitive data if compromised. This is a MEDIUM risk due to its potential for data exposure.
enterprise.reportingPrivateexpected: This permission allows the extension to access private reporting features.
Technical: The extension can use the chrome.enterprise.reportingPrivate API to access private reporting features, which could potentially allow unauthorized access to sensitive data if compromised. This is a MEDIUM risk due to its potential for data exposure.
*://*.google.com/*check this: This permission allows the extension to communicate with Google services.
Technical: The extension can use this permission to access various Google APIs, which could potentially allow unauthorized access to sensitive data if compromised. This is a HIGH risk due to its potential for lateral movement and data exposure. ⚠ 1

Your Data

The extension accesses device attributes, user identity information, and platform keys, which could potentially allow unauthorized access to sensitive data if compromised. It also communicates with various Google services, including GCM.

Technical Details

The extension contacts the following domains: momentjs.com, support.google.com, www.apache.org, dl.google.com, accounts.google.com, secureconnect-pa.mtls.clients6.google.com, play.google.com, opensource.org, paulirish.com, my.opera.com, www.google.com, and secureconnect-pa.corp.google.com. It uses the Fetch API to make requests and sets up event listeners using the chrome.events API.

Code Findings

Potential XSS VectorMedium

The extension assigns innerHTML values dynamically, which could potentially allow cross-site scripting (XSS) attacks if compromised.

Technical: The extension uses the following code pattern: element.innerHTML = value;. This is a common pattern for XSS vectors and should be reviewed carefully to ensure it's not exploitable.

💡 This pattern is commonly used in legitimate extensions to dynamically update content. However, it requires careful handling of user input to prevent XSS attacks.

Keystroke CaptureCritical

The extension captures keystrokes, which could potentially allow unauthorized access to sensitive data if compromised.

Technical: The extension uses the following code pattern: chrome.commands.onCommand.addListener(function(command) { ... });. This is a common pattern for capturing user input and should be reviewed carefully to ensure it's not exploitable.

💡 This pattern is commonly used in legitimate extensions to capture user input. However, it requires careful handling of sensitive data to prevent unauthorized access.

Cross-Origin CommunicationMedium

The extension uses postMessage for cross-origin communication, which could potentially allow unauthorized access to sensitive data if compromised.

Technical: The extension uses the following code pattern: window.postMessage(message);. This is a common pattern for cross-origin communication and should be reviewed carefully to ensure it's not exploitable.

💡 This pattern is commonly used in legitimate extensions to communicate with other origins. However, it requires careful handling of sensitive data to prevent unauthorized access.

Bottom Line

The Endpoint Verification extension has several security concerns that should be addressed by the developer. The nativeMessaging permission poses a CRITICAL risk due to its potential for lateral movement and data exposure. Additionally, the extension captures keystrokes, which could potentially allow unauthorized access to sensitive data if compromised. We recommend that users exercise caution when installing this extension and carefully review its permissions and behavior.