Loom %E2%80%93 Screen Recorder Sc

What This Extension Does

The Loom – Screen Recorder Sc extension allows users to record their screen and camera with one click, sharing the content instantly via a link. It appears to be designed for productivity and communication purposes.

Permissions Explained

• activeTab: Allows the extension to access the currently active tab in the browser.

- Standard for extensions that interact with web pages.

• alarms: Enables the extension to schedule alarms or notifications.

- Unusual for a screen recording extension, but could be used for reminders or notifications related to recordings.

• contextMenus: Allows the extension to add custom context menus to the browser.

- Unusual; typically used by extensions that need to provide actions on specific web page elements.

• cookies: Grants access to cookies stored in the browser.

- Standard for many extensions, especially those interacting with websites or providing services related to browsing history.

• desktopCapture: Enables the extension to capture the user's desktop screen.

- Expected for a screen recording extension.

• scripting: Allows the extension to execute scripts on web pages.

- Unusual; typically used by extensions that need to manipulate web page content programmatically, which is not directly related to screen recording.

• storage: Enables the extension to store data locally in the browser.

- Standard for many extensions, especially those providing services that require storing user preferences or settings.

• system.cpu, system.display: Allows the extension to access system-level information about CPU and display capabilities.

- Unusual; typically used by extensions that need detailed system information for performance optimization or other advanced features not directly related to screen recording.

• tabCapture: Enables the extension to capture screenshots of web pages.

- Expected for a screen recording extension.

• webNavigation, webRequest: Allows the extension to intercept and modify HTTP requests made by the browser.

- Unusual; typically used by extensions that need to monitor or manipulate network traffic, which is not directly related to screen recording.

• <all_urls>: Grants access to all URLs visited in the browser.

- High-risk permission due to its broad scope. Expected for a screen recording extension that needs to capture content from any web page.

• *://.loom.com/: Allows the extension to communicate with Loom's servers.

- Expected for an extension that records and shares content, as it would need to upload recordings.

What We Found in the Code

• [high] eval() used — can execute arbitrary code: This is a high-risk flag because eval() can execute any JavaScript code provided to it. However, without more context, it's difficult to say if this is being used maliciously or for legitimate purposes (e.g., dynamically loading scripts based on user input). Given the extension's purpose and permissions, it seems likely that this could be used for legitimate reasons.
• [info] Makes HTTP requests: This is a normal pattern in web development. Extensions often need to make API calls to their servers for various operations, including uploading recorded content.
• [high] Listens to keyboard events: This can be a high-risk flag if the extension listens to keyboard events on pages outside its UI or uses this information maliciously. However, given the extension's purpose and permissions, it seems likely that this is used for legitimate purposes such as shortcuts within the extension's UI.
• [medium] Potential data exfiltration pattern: This flag suggests a potential issue with how the extension handles data. Without more context, it's hard to say if this is a genuine concern or just a false positive.

External Connections

The extension communicates with various domains including:

• www.w3.org (expected for web development standards)
• github.com, gitlab.com (expected for version control and collaboration tools)
• cdn.loom.com, www.loom.com, support.loom.com, stage.loom.com (expected for the extension's functionality, including uploading recordings)
• Other domains like api.segment.io and dashif.org are less clear without more context but could be related to analytics or other services used by the extension.

Things to Consider

Given the extension's purpose and permissions, it seems that most of its capabilities are aligned with what is expected for a screen recording and sharing tool. The high-risk permissions like <all_urls> and the use of eval() are concerning but could be justified if they're used for legitimate purposes within the context of the extension's functionality. Users should consider whether an extension with such broad access to their browsing data is necessary for its claimed purpose.