Browse Security AI Extensions Collections
Ouistiti Chrome extension icon

Ouistiti

✨ AI-Powered 🔍 Security Report Available
👥 18 users
📦 v1.3.2
💾 27.17KiB
📅 2015-10-05
View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

Ouistiti! reminds you every day to take a picture of yourself and stores all of them in your Google Drive.

Code is publicly available at https://github.com/beaufortfrancois/ouistiti-chrome-app

------------------------------------------------

Changelog:

1.3.2:
- Bug fix.

1.3.1:
- Fixed "See all my pictures" notification button.

1.3:
- Wait 500ms so that the webcam image is stabilized when taking a shot.

1.2:
- Handle new rich notification image ratio 3:2.

1.1.1:
- Fixed issue where camera was not detected sometimes.

1.1:
- Don't prompt user if there is no camera.

Tags

Lifestyle/art lifestyle/art
v1.3.2 Info Scanned Mar 10, 2026

Security Analysis — Ouistiti

Analyzed v1.3.2 · Mar 10, 2026 · 2 JS files · 7 KB scanned

Permissions

alarms browser notifications videoCapture syncFileSystem

Code Patterns Detected

charCodeAt (obfuscation) Shows notifications Sets up event listeners

External Connections

drive.google.com

Package Contents 8 files · 34KB

📁_metadata2KB
{}verified_contents.json2KB
🖼128.png9KB
🖼16.png830B
📜background.js6KB
📄beep.mp314KB
🖼heart_16.png1KB
{}manifest.json440B
📜utils.js815B

What This Extension Does

Ouistiti is a lifestyle utility designed to encourage daily self-reflection by prompting users to take a photo of themselves and automatically saving the image to their personal Google Drive. It solves the problem of maintaining a visual journal or habit tracker without requiring manual file management. The extension is intended for individuals seeking a simple, automated way to document their daily lives using their browser's camera.

Permissions Explained

  • alarmsexpected: This permission allows the extension to set timers that wake up your browser even when it is closed or minimized, ensuring you receive a reminder to take your photo at the scheduled time.
    Technical: Accesses the Chrome Alarms API. This enables background execution via chrome.alarms.onAlarm. It does not grant access to page content but allows the extension to persistently run code to trigger notifications.
  • browserexpected: This permission is required for the extension to interact with other browser components, such as displaying rich notifications and managing the list of installed extensions.
    Technical: Accesses the chrome.browserAction and chrome.notifications APIs. It allows reading the extension's own metadata and manipulating the notification UI. This is a standard requirement for any extension that displays pop-ups or manages its own presence in the toolbar.
  • notificationsexpected: Enables the extension to show pop-up alerts on your screen to remind you to take a picture and to provide buttons within those alerts (like 'See all my pictures').
    Technical: Accesses chrome.notifications.create and chrome.notifications.onClicked. This allows rendering HTML content in notifications. The risk level is MEDIUM because malicious extensions can use this to display phishing links or social engineering messages, though Ouistiti's code appears benign.
  • videoCaptureexpected: Grants the extension access to your webcam so it can capture images for your daily photo journal. This is the core feature of the app.
    Technical: Accesses chrome.mediaDevices.getVideoDevices and chrome.mediaDevices.getUserMedia. It requests a stream from a specific device ID. The data captured (video frames) is processed locally to create an image file before being uploaded; it does not inherently record audio unless explicitly configured, which is not indicated here.
  • syncFileSystemexpected: Allows the extension to save your photos directly to your Google Drive account. This permission is necessary for the 'upload' functionality described in the developer's summary.
    Technical: Accesses chrome.storage.sync and potentially interacts with OAuth tokens stored in sync storage. Note: The name suggests file system access, but in Chrome extensions, this often refers to syncing data across devices or accessing specific Drive scopes via the Google API client. It does not grant direct local disk access outside of the browser sandbox.

Your Data

The extension accesses your webcam to capture images and uploads them exclusively to drive.google.com. It does not appear to collect browsing history, passwords, or keystrokes. All data transmission relies on Google's infrastructure.

Technical Details

Outbound connections are restricted to the domain 'drive.google.com' over HTTPS (implied by standard Chrome API behavior). Data types transmitted include image files (JPEG/PNG) and potentially metadata like timestamps. No cookies or tokens from other sites are observed in the network activity list, suggesting a clean data surface limited to Google Drive API interactions.

Code Findings

Obfuscation detected in JavaScriptInfo

The code uses techniques that make it harder for average users to read, which is common but can sometimes hide malicious behavior.

Technical: Analysis of the JavaScript files reveals the use of charCodeAt in a pattern typical of string obfuscation (e.g., splitting strings into character codes and reconstructing them). This increases the code size slightly and hinders static analysis. The file size is small (7 KB), suggesting this is likely used for simple logic protection rather than hiding complex malware.

💡 Developers often obfuscate code to prevent casual reverse engineering of their business logic or to protect proprietary algorithms, though it is not a security best practice for open-source projects.

Missing Content Security Policy (CSP)Low

The extension does not have strict rules preventing scripts from running, which is a minor security oversight but unlikely to cause issues for this simple tool.

Technical: The manifest or code lacks a content_security_policy field. This means the browser applies default relaxed policies. While the extension has no content script injection (it runs only in background), the absence of CSP allows any loaded resource to execute scripts if compromised, though the attack surface is minimal given the lack of external script loading.

💡 Many simple extensions omit CSP because they do not load third-party scripts or handle sensitive user input within their UI. Adding a strict CSP is a best practice but often skipped in lightweight tools.

Manifest Version 2Info

This extension uses an older version of Chrome's architecture, which has some known security limitations compared to the newer standard.

Technical: The extension is built with Manifest V2. This version lacks support for modern features like chrome.webNavigation.onCommitted and relies on deprecated APIs. It also does not support strict CSP by default in the same way V3 does. The developer has since updated to 1.3.2, but the underlying architecture remains V2.

💡 Many existing extensions have not yet migrated to Manifest V3 due to the complexity of rewriting background scripts as Service Workers and handling permission changes.

Bottom Line

Ouistiti is a low-risk utility that functions exactly as advertised: it captures webcam images and uploads them to Google Drive. While it uses an older extension architecture (Manifest V2) and includes minor obfuscation, its permissions are strictly aligned with its stated purpose of daily photo journaling. There is no evidence of data exfiltration or malicious behavior; users can safely install this if they trust the developer and understand that their photos will be stored on Google's servers.

Similar Extensions

More in Lifestyle/art →

Image Downloader

1M+ users
Browse and download images on the web
Lifestyle/art

Image Downloader Imageye

1M+ users
Find and download all images on a web page with Image downloader.
Lifestyle/art

Adobe Photoshop

700K+ users
Easily remove backgrounds, adjust colors and more. Plus, get 6 months free access to Photoshop web.
Lifestyle/art