Hbo Max Extended Tools To
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Useful tool to fix your HBO Max watching experience: adjust playback speed, hide mouse cursor, rotate screen, make custom subtitles.
Tags
Privacy Practices
Security Analysis — Hbo Max Extended Tools To
Permissions
Code Patterns Detected
External Connections
Package Contents 31 files · 1.3MB
What This Extension Does
Hbo Max Extended Tools To is a browser extension designed to enhance the HBO Max streaming experience by allowing users to adjust playback speed, hide cursors, rotate screens, and customize subtitles. It operates primarily within the HBO Max ecosystem but requests broad permissions that extend beyond its stated functionality. While it offers legitimate utility for power users, its network activity and code behavior warrant scrutiny regarding data privacy and potential security vectors.
Permissions Explained
- *://*.hbomax.com/*expected: This permission allows the extension to read and modify any content on HBO Max websites. It is necessary for injecting subtitle changes or altering playback controls, but it also means the extension can see every video you watch.
Technical: Accesses the full DOM of hbomax.com subdomains. If compromised, an attacker could exfiltrate viewing history, session tokens, and potentially inject malicious scripts into the player interface. - *://*.max.com/*expected: This grants access to Max's broader domain infrastructure. While likely needed for API calls or account verification, it expands the scope of data accessible beyond just the video player.
Technical: Accesses *.max.com subdomains including API endpoints (default.prd.api.max.com). Risk includes potential interception of authentication flows or access to user profile data hosted on these domains. - storageexpected: Allows the extension to save your settings (like playback speed preferences) and remember them between sessions.
Technical: Uses chrome.storage.sync or local storage. If a malicious actor gains access to the extension, they can read/write these values. Generally low risk unless combined with other vulnerabilities. - unlimitedStoragecheck this: Permits saving large amounts of data locally, which might be used for caching or storing extensive subtitle configurations.
Technical: Bypasses the 5MB limit on local storage. Increases the attack surface if the extension is hijacked, as more sensitive data could theoretically be stored here. ⚠ The stated features (speed, subtitles) do not require unlimited storage; standard limits are sufficient for user preferences. - alarmscheck this: Enables the extension to set timers or notifications, potentially used for reminders or scheduled actions.
Technical: Uses chrome.alarms API. Minimal data exposure risk, but allows background execution triggers which could be abused for persistence if the service worker is compromised. ⚠ No stated feature explicitly requires alarms; this permission appears unnecessary for playback modification tools.
Your Data
The extension communicates with HBO Max API endpoints to function correctly and sends telemetry data to third-party analytics services like 'metricsmint.quest'. It also fetches resources from GitHub and Wikipedia, suggesting it may download external scripts or documentation dynamically.
Technical Details
Code Findings
The extension has the ability to record what you type. This is a major privacy risk because it could capture passwords, search queries, or personal messages if misused.
Technical: Code behavior analysis indicates '[critical] Captures keystrokes'. This typically involves listening to 'keydown' or 'keypress' events on input fields. If the extension logic is flawed or compromised, this data can be logged locally or sent to a remote server.
The extension loads scripts from outside sources (like GitHub) to run its background tasks. If these external files are malicious, they could execute code on your computer without you knowing.
Technical: Behavior: '[high] Loads external scripts in service worker'. The service worker fetches and executes code from 'github.com' and other domains. This bypasses Chrome's strict CSP for the extension itself if not carefully managed, creating a supply chain attack vector.
💡 Legitimate extensions sometimes load helper libraries or update logic from CDNs to reduce bundle size.
The extension modifies web pages by inserting HTML content directly. If it accepts user input without checking it first, hackers could inject malicious code that steals your data.
Technical: Code pattern: '[medium] innerHTML assignment'. This is a classic XSS vector. Combined with '[medium] String.fromCharCode' and '[medium] charCodeAt', the developer may be obfuscating strings to evade detection or filter rules, which often accompanies insecure coding practices.
💡 innerHTML is standard for injecting dynamic UI elements like custom subtitles or overlay controls.
The extension asks for more storage space than it likely needs to save your settings. This doesn't directly harm you but gives a bad actor more room to hide if they break in.
Technical: Permissions: 'storage', 'unlimitedStorage'. Usage: '[medium] Monitors storage changes'. The extension watches for changes to its own storage, which is normal, but the 'unlimited' flag expands the potential data volume.
💡 Extensions often request unlimited storage to cache large assets or complex configuration objects.
The extension does not have strict security rules preventing it from loading bad code. This makes it easier for hackers to trick the extension into running unwanted scripts.
Technical: Technical detail: 'Content Security Policy: not set'. Without a CSP, the service worker and content scripts can execute any script loaded via fetch or injection, regardless of source integrity.
While Hbo Max Extended Tools To provides useful features for modifying the streaming experience, it presents significant security risks that outweigh its benefits for the average user. The combination of critical keystroke capture capabilities, high-risk external script loading from GitHub, and unnecessary broad permissions suggests poor security hygiene and potential data exfiltration vectors. We recommend users avoid installing this extension or strictly limit its permissions via browser flags if they choose to proceed, understanding that their typing activity and viewing habits may be monitored.
