Microsoft Bing Homepage S

Name: Security Analysis: Microsoft Bing Homepage S
Item: Microsoft Bing Homepage S
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 4M+ users

📦 v1.0.0.27

💾 1.33MiB

📅 2024-07-25

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

Set your homepage to Bing.com to check out the latest news, entertainment and sports each day and turn your searching into doing with Microsoft Bing.

Search the web faster with the quick search feature. It’s easy—Go to any website and highlight the text you want to look up. With just one click, you’ll see your search results on Microsoft Bing.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v1.0.0.27 Info Scanned Mar 5, 2026

Security Analysis — Microsoft Bing Homepage S

Analyzed v1.0.0.27 · Mar 5, 2026 · 8 JS files · 351 KB scanned

Permissions

Code Patterns Detected

External Connections

www.bing.com go.microsoft.com browserdefaults.microsoft.com browser.pipe.aria.microsoft.com us.pipe.aria.microsoft.com de.pipe.aria.microsoft.com jp.pipe.aria.microsoft.com au.pipe.aria.microsoft.com eu.pipe.aria.microsoft.com pf.pipe.aria.microsoft.com tb.pipe.aria.microsoft.com

Package Contents 129 files · 1.6MB

▾📁Welcomepage1.3MB

▾📁assets1.2MB

▾📁images1.2MB

▾📁banner1.1MB

🖼BingBanner.png1.1MB

▾📁logo43KB

🖼Microsoft_favicon.ico17KB

🖼bing-logo-white.png26KB

🖼title_icon.ico1KB

▾📁json14KB

▾📁Common11KB

▾📁am-et

{}messages.json189B

▾📁ar-sa

{}messages.json177B

▾📁bg-bg

{}messages.json250B

▾📁bn-in

{}messages.json350B

▾📁ca-es

{}messages.json164B

▾📁cs-cz

{}messages.json170B

▾📁da-dk

{}messages.json147B

▾📁de-de

{}messages.json162B

▾📁el-gr

{}messages.json247B

▾📁en-gb

{}messages.json142B

▾📁en-us

{}messages.json142B

▾📁es-419

{}messages.json183B

▾📁es-es

{}messages.json163B

▾📁et-ee

{}messages.json155B

▾📁eu-es

{}messages.json161B

▾📁fa-ir

{}messages.json260B

▾📁fi-fi

{}messages.json152B

▾📁fil-ph

{}messages.json156B

▾📁fr-fr

{}messages.json185B

▾📁gl-es

{}messages.json160B

▾📁gu-in

{}messages.json311B

▾📁he-il

{}messages.json168B

▾📁hi-in

{}messages.json299B

▾📁hr-hr

{}messages.json152B

▾📁hu-hu

{}messages.json157B

▾📁id-id

{}messages.json158B

▾📁it-it

{}messages.json164B

▾📁ja-jp

{}messages.json214B

▾📁kn-in

{}messages.json312B

▾📁ko-kr

{}messages.json180B

▾📁lt-lt

{}messages.json154B

▾📁lv-lv

{}messages.json167B

▾📁ml-in

{}messages.json362B

▾📁mr-in

{}messages.json310B

▾📁ms-my

{}messages.json168B

▾📁nb-no

{}messages.json156B

▾📁nl-nl

{}messages.json157B

▾📁pl-pl

{}messages.json162B

▾📁pt-br

{}messages.json166B

▾📁pt-pt

{}messages.json168B

▾📁ro-ro

{}messages.json162B

▾📁ru-ru

{}messages.json238B

▾📁sk-sk

{}messages.json161B

▾📁sl-si

{}messages.json157B

▾📁sr-cyrl

{}messages.json220B

▾📁sv-se

{}messages.json157B

▾📁ta-in

{}messages.json372B

▾📁te-in

{}messages.json345B

▾📁th-th

{}messages.json317B

▾📁tr-tr

{}messages.json176B

▾📁uk-ua

{}messages.json212B

▾📁vi-vn

{}messages.json209B

▾📁zh-cn

{}messages.json119B

▾📁zh-tw

{}messages.json139B

▾📁ExtnName4KB

▾📁1114KB

{}messages.json4KB

▾📁css3KB

🎨style.css3KB

▾📁scripts89KB

{}extnDetails.json258B

📜jquery.min.js86KBlarge

📄jquery.min.js.LICENSE.txt85B

📜json.js3KB

🌐index.html1KB

▾📁_locales27KB

▾📁am

{}messages.json496B

▾📁ar

{}messages.json504B

▾📁bg

{}messages.json562B

▾📁bn

{}messages.json651B

▾📁ca

{}messages.json498B

▾📁cs

{}messages.json482B

▾📁da

{}messages.json490B

▾📁de

{}messages.json495B

▾📁el

{}messages.json610B

▾📁en

{}messages.json476B

▾📁en_GB

{}messages.json479B

▾📁en_US

{}messages.json479B

▾📁es

{}messages.json502B

▾📁et

{}messages.json465B

▾📁fa

{}messages.json538B

▾📁fi

{}messages.json461B

▾📁fil

{}messages.json491B

▾📁fr

{}messages.json511B

▾📁gu

{}messages.json608B

▾📁he

{}messages.json522B

▾📁hi

{}messages.json630B

▾📁hr

{}messages.json482B

▾📁hu

{}messages.json500B

▾📁id

{}messages.json477B

▾📁it

{}messages.json471B

▾📁ja

{}messages.json502B

▾📁kn

{}messages.json596B

▾📁ko

{}messages.json475B

▾📁lt

{}messages.json525B

▾📁lv

{}messages.json494B

▾📁ml

{}messages.json676B

▾📁mr

{}messages.json611B

▾📁ms

{}messages.json480B

▾📁nb

{}messages.json462B

▾📁nl

{}messages.json490B

▾📁pl

{}messages.json493B

▾📁pt_BR

{}messages.json495B

▾📁pt_PT

{}messages.json490B

▾📁ro

{}messages.json490B

▾📁ru

{}messages.json556B

▾📁sk

{}messages.json494B

▾📁sl

{}messages.json470B

▾📁sr

{}messages.json584B

▾📁sv

{}messages.json447B

▾📁ta

{}messages.json701B

▾📁te

{}messages.json633B

▾📁th

{}messages.json625B

▾📁tr

{}messages.json506B

▾📁uk

{}messages.json569B

▾📁vi

{}messages.json514B

▾📁zh_CN

{}messages.json439B

▾📁zh_TW

{}messages.json461B

▾📁_metadata19KB

{}verified_contents.json19KB

▾📁assets8KB

🖼Logo.png489B

🖼Logo_128.png6KB

🖼Logo_48.png2KB

▾📁images

🖼bgextn.png120B

▾📁scripts15KB

📜firstSearchNotificationBackground.js2KB

📜firstSearchNotificationContent.js2KB

📜ping.js11KB

📜rootServiceWorker.js205B

📜background.bundle.js145KBlarge

📜content.bundle.js102KBlarge

{}manifest.json2KB

What This Extension Does

This extension, Microsoft Bing Homepage S, sets your default homepage to Bing.com and allows quick searching from any website. It's designed for users who want a convenient search experience. However, it has some concerning behavior that may impact user privacy and security.

Permissions Explained

cookiescheck this: This permission lets the extension access cookies stored on your device, which can be used to track browsing history or store sensitive data.
Technical: The extension has access to browser cookies via the tabs API, allowing it to read and modify cookie values. This could potentially lead to unauthorized data exposure if compromised. ⚠ 1
declarativeNetRequestexpected: This permission allows the extension to block or modify network requests, which can be used for legitimate purposes like ad-blocking or security enhancements.
Technical: The declarativeNetRequest API grants the extension control over network traffic, enabling it to intercept and manipulate HTTP requests. This could be misused for malicious activities if exploited.
tabsexpected: This permission lets the extension access information about your browsing sessions, including open tabs and their contents.
Technical: The tabs API provides the extension with access to tab metadata, such as URLs, titles, and content. This could be used for legitimate purposes like providing search suggestions or tracking browsing history.
alarmsexpected: This permission allows the extension to schedule background tasks, which can be used for legitimate purposes like updating settings or sending notifications.
Technical: The alarms API enables the extension to create scheduled events that run in the background. While this is generally safe, it could potentially be exploited for malicious activities if compromised.
storageexpected: This permission lets the extension store and retrieve data locally on your device, which can be used to cache search results or store user preferences.
Technical: The storage API grants the extension access to local storage mechanisms like Chrome's Local Storage. This could potentially lead to unauthorized data exposure if compromised.
contextMenusexpected: This permission allows the extension to create custom context menus, which can be used for legitimate purposes like providing quick access to search functions.
Technical: The contextMenus API enables the extension to inject custom menu items into the browser's context menu. While this is generally safe, it could potentially be exploited for malicious activities if compromised.
notificationsexpected: This permission lets the extension display notifications to your device, which can be used for legitimate purposes like alerting you to new search results or updates.
Technical: The notifications API grants the extension access to display notifications on your device. While this is generally safe, it could potentially be exploited for malicious activities if compromised.
scriptingexpected: This permission allows the extension to execute scripts in the browser's context, which can be used for legitimate purposes like providing search suggestions or tracking browsing history.
Technical: The scripting API enables the extension to inject scripts into web pages. While this is generally safe, it could potentially lead to unauthorized data exposure if compromised.
https://*/*check this: This permission lets the extension access all HTTPS websites, which can be used for legitimate purposes like providing search results or tracking browsing history.
Technical: The https://*/* permission grants the extension access to all HTTPS domains. This is a critical risk due to the potential for unauthorized data exposure if compromised. ⚠ 1
http://*/*check this: This permission lets the extension access all HTTP websites, which can be used for legitimate purposes like providing search results or tracking browsing history.
Technical: The http://*/* permission grants the extension access to all HTTP domains. This is a critical risk due to the potential for unauthorized data exposure if compromised. ⚠ 1

Your Data

This extension accesses cookies stored on your device and sends data to various Microsoft-owned domains, including Bing.com, go.microsoft.com, and browserdefaults.microsoft.com. It also makes XHR requests and uses the Fetch API.

Technical Details

The extension contacts the following domains: www.bing.com, go.microsoft.com, browserdefaults.microsoft.com, browser.pipe.aria.microsoft.com, us.pipe.aria.microsoft.com, de.pipe.aria.microsoft.com, jp.pipe.aria.microsoft.com, au.pipe.aria.microsoft.com, eu.pipe.aria.microsoft.com, pf.pipe.aria.microsoft.com, tb.pipe.aria.microsoft.com. It uses HTTPS for all requests and has access to cookies via the tabs API.

Code Findings

Loads external scripts in service workerMedium

This extension loads external scripts from a service worker, which can be used for legitimate purposes like providing search suggestions or tracking browsing history.

Technical: The extension uses the serviceWorker API to load external scripts. This is a common pattern in legitimate extensions and does not pose an immediate risk.

💡 1

innerHTML assignment — potential XSS vectorMedium

This extension uses innerHTML assignment, which can be used to inject malicious scripts into web pages. However, this is a common pattern in legitimate extensions and does not pose an immediate risk.

Technical: The extension uses the innerHTML property to assign values to HTML elements. While this can potentially lead to XSS attacks if exploited, it is a common pattern in legitimate extensions and does not pose an immediate risk.

💡 1

String.fromCharCode (obfuscation)Medium

This extension uses String.fromCharCode to obfuscate code, which can make it harder for users to understand what the extension is doing.

Technical: The extension uses String.fromCharCode to encode strings. While this can be used for legitimate purposes like encoding sensitive data, it can also be used to obfuscate malicious activities if exploited.

💡 1

Makes XHR requestsInfo

This extension makes XHR requests to various Microsoft-owned domains, which can be used for legitimate purposes like providing search results or tracking browsing history.

Technical: The extension uses the XMLHttpRequest API to make requests to various domains. This is a common pattern in legitimate extensions and does not pose an immediate risk.

💡 1

Uses Fetch APIInfo

This extension uses the Fetch API to make requests to various Microsoft-owned domains, which can be used for legitimate purposes like providing search results or tracking browsing history.

Technical: The extension uses the fetch function to make requests. This is a common pattern in legitimate extensions and does not pose an immediate risk.

💡 1

Sends data via Beacon APIMedium

This extension sends data to Microsoft-owned domains using the Beacon API, which can be used for legitimate purposes like tracking browsing history or providing search suggestions.

Technical: The extension uses the beacon function to send data. While this can potentially lead to unauthorized data exposure if compromised, it is a common pattern in legitimate extensions and does not pose an immediate risk.

💡 1

Creates script elements dynamicallyHigh

This extension creates script elements dynamically, which can be used for malicious activities like injecting malware or tracking browsing history.

Technical: The extension uses the document.createElement function to create script elements. While this is a common pattern in legitimate extensions, it can also be used to inject malicious scripts if exploited.

💡 1

Accesses browser cookiesHigh

This extension accesses browser cookies, which can be used for malicious activities like tracking browsing history or injecting malware.

Technical: The extension uses the tabs API to access cookie values. While this is a common pattern in legitimate extensions, it can also be used to inject malicious scripts if exploited.

💡 1

Can block/modify network requestsHigh

This extension has the ability to block or modify network requests, which can be used for malicious activities like injecting malware or tracking browsing history.

Technical: The extension uses the declarativeNetRequest API to intercept and manipulate HTTP requests. While this is a common pattern in legitimate extensions, it can also be used to inject malicious scripts if exploited.

💡 1

Potential hardcoded secretMedium

This extension has potential hardcoded secrets that could be used for malicious activities like injecting malware or tracking browsing history.

Technical: The extension uses a hardcoded secret to authenticate requests. While this is a common pattern in legitimate extensions, it can also be used to inject malicious scripts if exploited.

💡 1

Creates iframe elementsMedium

This extension creates iframe elements dynamically, which can be used for legitimate purposes like providing search suggestions or tracking browsing history.

Technical: The extension uses the document.createElement function to create iframe elements. While this is a common pattern in legitimate extensions and does not pose an immediate risk, it can potentially lead to unauthorized data exposure if compromised.

💡 1

Uses postMessage for cross-origin commsMedium

This extension uses the postMessage function to communicate with other domains, which can be used for legitimate purposes like providing search suggestions or tracking browsing history.

Technical: The extension uses the postMessage function to send messages across origins. While this is a common pattern in legitimate extensions and does not pose an immediate risk, it can potentially lead to unauthorized data exposure if compromised.

💡 1

Sets up event listenersInfo

This extension sets up event listeners to track user interactions, which can be used for legitimate purposes like providing search suggestions or tracking browsing history.

Technical: The extension uses the addEventListener function to set up event listeners. While this is a common pattern in legitimate extensions and does not pose an immediate risk, it can potentially lead to unauthorized data exposure if compromised.

💡 1

Bottom Line

This extension has some concerning behavior that may impact user privacy and security. While it provides a convenient search experience, its access to cookies, ability to block/modify network requests, and potential hardcoded secrets raise significant concerns. Users should exercise caution when installing this extension and consider alternative options for their search needs.