Extensity

Name: Security Analysis: Extensity
Item: Extensity
Rating: 1
Author: ChromeBoard

🔍 Security Report Available

👥 300K+ users

📦 v1.14.0

💾 171KiB

📅 2024-09-02

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Blocks unwanted extensions with a single click, letting you quickly enable or disable Google Chrome extensions at will. Ideal for those who want to streamline their browsing experience and minimize distractions, Extensity is particularly useful for individuals who frequently switch between multiple profiles or need to temporarily disable extensions for security reasons. By providing a simple toggle button, Extensity simplifies the process of managing your extensions.

Overview

Tired of having too many extensions in your toolbar? Try Extensity, the ultimate tool for lightning fast enabling and disabling all your extensions for Google Chrome. Just enable the extension when you want to use it, and disable when you want to get rid of it for a little while. You can also launch Chrome Apps right from the list.

* Keep your browser lean and fast - disable extensions that you won't use right away.
* Keep your toolbar clean.
* Turn all extensions off (and back on) with a single click.
* Quick switch between several extensions groups using the Profiles feature.
* Allow your most important extensions to be always enabled.
* Keep computers in sync with Chrome Cloud Storage support.
* Ideal companion for extensions collectors.

Website: https://sergiokas.github.io/Extensity/

Extensity is free software. Full source code at GitHub https://github.com/sergiokas/Extensity

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v1.14.0 Critical Scanned Feb 22, 2026

Security Analysis — Extensity

Analyzed v1.14.0 · Feb 22, 2026 · 9 JS files · 117 KB scanned

Permissions

Code Patterns Detected

External Connections

github.com knockoutjs.com www.opensource.org www.json.org

Package Contents 23 files · 280KB

▾📁_metadata4KB

{}verified_contents.json4KB

▾📁fonts75KB

🔤fontawesome-webfont.woff275KB

▾📁images29KB

🖼icon128.png11KB

🖼icon16.png2KB

🖼icon48.png5KB

🖼iconbar.png11KB

▾📁js117KB

▾📁libs106KB

📜knockout-3.5.1.js67KBlarge

📜knockout-secure-binding.min.js11KB

📜underscore-min.js19KB

📜underscore.string.min.js9KB

📜engine.js5KB

📜index.js3KB

📜migration.js1KB

📜options.js351B

📜profiles.js2KB

▾📁styles39KB

🎨font-awesome.min.css30KB

🎨index.css4KB

🎨normalize.css2KB

🎨options.css3KB

🌐index.html6KB

{}manifest.json593B

🌐options.html3KB

🌐profiles.html5KB

What This Extension Does

Extensity allows users to quickly enable or disable Chrome extensions and manage profiles, with a focus on browser organization and performance.

Permissions

managementexpected: This permission lets the extension see all installed extensions and control their enabled/disabled status. A user would care because it gives the app broad access to other extensions in their browser, which could be used for tracking or manipulation if misused.
storageexpected: This lets the extension save settings locally on your computer so it remembers how you've configured it. A user would care because this data is stored in Chrome's local storage and could include sensitive configuration details or usage patterns.

Your Data

The extension stores local configuration data but does not appear to transmit personal information externally unless explicitly enabled by the user (e.g., via Chrome Sync). It contacts GitHub for updates and documentation, which may include telemetry or tracking.

Code Findings

Use of Function constructorHigh

The extension uses a method that allows dynamic code execution. While this can be useful for legitimate features like runtime configuration, it also opens up potential security risks if used improperly.

💡 Commonly used for runtime configuration parsing or templating logic in extensions that need flexible behavior without recompilation.

innerHTML assignmentMedium

The extension assigns HTML content directly to an element using innerHTML. This can be risky if the content comes from untrusted sources, as it might allow cross-site scripting (XSS) attacks.

💡 Standard practice when building dynamic interfaces where HTML is generated from structured templates or configuration.

Trustworthiness

Developer: Developer is listed as 'Sergio K.' but no company or verified identity information is provided. Website links to GitHub repository suggest some transparency in source code.
Privacy Policy: No explicit privacy policy was found in the extension manifest or visible on the developer's website, raising concerns about how data might be handled beyond what’s described in the Chrome Web Store listing.
Install Base: Installed by 300,000 users with recent updates suggesting ongoing maintenance.

Bottom Line

This extension appears consistent with its purpose, but the presence of dynamic code execution via Function constructor raises a red flag that could allow arbitrary behavior if exploited. Users should exercise caution and monitor for unexpected changes in their browser settings or performance.

Extension Overview

Extensity allows users to quickly enable or disable Chrome extensions and manage profiles, with a focus on browser organization and performance.

Permissions

managementexpected: Exposes Chrome's management API allowing enumeration of all installed extensions, modification of their state (enable/disable), and retrieval of metadata such as names, IDs, versions, and icons. An attacker with access to this permission can potentially disable security-relevant extensions or monitor user behavior by observing extension changes.
storageexpected: Grants access to Chrome's storage API for persistent key-value pairs, including sync and local storage areas. Data may include extension settings, profile configurations, and potentially user preferences that reflect browsing habits. If compromised, this data can be used to reconstruct user behavior or manipulate the extension’s operation.

Data Exposure (Technical)

Contacts external domains including github.com, knockoutjs.com, www.opensource.org, and www.json.org. Data transmission includes potential metadata about extension usage, version checks, and possibly anonymized analytics if integrated with third-party services like Google Analytics (not confirmed). No explicit HTTP endpoints are observed for sending user data; however, network activity is not fully restricted by CSP.

Code Findings

Use of Function constructorHigh

Detected use of the JavaScript Function constructor in background script context. This pattern enables dynamic evaluation of strings as executable code and is often associated with obfuscation or sandbox escape techniques. If attacker-controlled input reaches this point, it could allow arbitrary code execution within the extension's scope.

💡 Commonly used for runtime configuration parsing or templating logic in extensions that need flexible behavior without recompilation.

innerHTML assignmentMedium

Detected use of innerHTML assignment in background script context, likely for rendering UI elements dynamically. If any user-provided or remote data flows into this assignment without sanitization, an attacker could inject malicious scripts that execute within the extension's environment.

💡 Standard practice when building dynamic interfaces where HTML is generated from structured templates or configuration.

Code Analysis

Obfuscation: Code appears to be standard minified JavaScript with no heavy obfuscation techniques such as control flow flattening, string encoding, or identifier mangling. This makes it relatively easy for security researchers to analyze.
Content Security Policy: Content Security Policy is not set in the manifest or headers, meaning that inline scripts and eval-based execution are allowed by default — a significant concern given the presence of Function constructor usage.
Architecture: Uses Manifest V3 architecture with background service worker. No content scripts are present; all interactions occur through background logic and UI components rendered via injected HTML (via innerHTML). The extension relies on Chrome APIs for management and storage, which aligns with its stated purpose.

Transparency

Developer: Developer is listed as 'Sergio K.' but no company or verified identity information is provided. Website links to GitHub repository suggest some transparency in source code.
Privacy Policy: No explicit privacy policy was found in the extension manifest or visible on the developer's website, raising concerns about how data might be handled beyond what’s described in the Chrome Web Store listing.
Code Visibility: Source code is publicly available at https://github.com/sergiokas/Extensity/, which supports independent auditing and verification of behavior against claims made by the extension.
Install Base: Installed by 300,000 users with recent updates suggesting ongoing maintenance.

Researcher Assessment

The extension exposes significant attack surface through use of Chrome's management API and insecure handling of HTML rendering (innerHTML). The presence of the Function constructor combined with missing CSP creates a high-risk vector for code injection. While most functionality aligns with stated goals, the lack of proper security controls around dynamic evaluation warrants further manual inspection to confirm whether inputs are sanitized or if there’s an exploitable path in background scripts.