PearPass
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
PearPass – A fully local, open-source password manager.
PearPass is a fully local, open-source password manager designed for complete privacy and control. Unlike traditional cloud-based managers, PearPass never sends your data to external servers. All credentials are stored and encrypted directly on your device using strong end-to-end encryption. Whether you’re syncing between your phone and laptop or managing hundreds of logins, PearPass gives you full ownership of your digital identity. There is no central infrastructure to target, no hidden storage, and no third-party access.
Key Features
Device-Only Storage
Your passwords are stored locally on your devices, not in the cloud. You decide which devices have access. PearPass never uploads or stores your data externally.
Peer-to-Peer Sync
Secure syncing between your own devices without using a central server. Your data moves directly and securely between devices you control.
End-to-End Encryption
All data is encrypted using proven cryptographic primitives from Libsodium. No one else can access or read your vault—not even us.
Open Source and Independently Audited
PearPass is fully open source and has been independently reviewed by Secfault Security, a respected firm specializing in cryptography and offensive security.
Offline-First Design
Works without an internet connection. Your password vault is available at all times, even during outages or when you’re traveling.
Password Generator
Generate strong, unique passwords with one tap. Reduce the risks of reused or weak credentials.
Minimal and Fast
PearPass is lightweight, efficient, and designed for users who value both privacy and simplicity.
Why Local Storage Matters
In 2025, a single data breach leaked over 16 billion credentials. Cloud-based password managers, regardless of their security, rely on centralized systems that remain high-value targets for attackers. PearPass removes this risk entirely. With no cloud storage and no backend infrastructure, your data stays where it belongs—on your devices.
PearPass is free to use, fully transparent, and built for users who demand control over their digital security. Your passwords are yours. Keep them safe, private, and fully in your hands.
Download now and take your passwords off the cloud.
Tags
Privacy Practices
Security Analysis — PearPass
Permissions
Code Patterns Detected
External Connections
Package Contents 20 files · 1.9MB
What This Extension Does
Pearpass is a password manager extension designed to store credentials and manage clipboard operations for PearPass users. It utilizes Manifest V3 architecture with a background service worker to handle encryption and synchronization tasks. While it performs standard functions like reading/writing storage and capturing keystrokes, the analysis reveals significant security concerns regarding its network activity and code obfuscation techniques.
Permissions Explained
- storageexpected: Allows the extension to save your saved passwords and settings locally within the browser.
Technical: Accesses chrome.storage.local and chrome.storage.sync. If compromised, an attacker could exfiltrate stored credentials or modify user preferences. - nativeMessagingexpected: Enables communication with a separate desktop application (PearPass) to handle sensitive operations like encryption and decryption.
Technical: Establishes a secure channel via chrome.runtime.sendMessage. This is the primary attack surface; if the host app is compromised or the port is hijacked, the extension can leak data directly to an attacker's machine. - clipboardReadexpected: Permits the extension to read your clipboard contents so it can verify if a password was just copied or paste into fields.
Technical: Accesses chrome.clipboard.read. This is necessary for functionality but creates a risk of keylogging if the extension logic is flawed, as it sees everything you copy. - clipboardWriteexpected: Allows the extension to paste passwords into text fields for you.
Technical: Accesses chrome.clipboard.write. Essential for password injection functionality. - offscreenexpected: Enables the extension to run a hidden background thread that stays active even when the browser tab is closed.
Technical: Uses chrome.offscreen.Blob. This keeps the service worker alive for faster response times but increases the attack surface if the blob content is not properly sandboxed. - alarmsexpected: Allows the extension to set timers to wake up the background script periodically (e.g., for syncing or checking updates).
Technical: Uses chrome.alarms.create. Standard for maintaining persistent connections or scheduled tasks. - activeTabexpected: Lets the extension interact with the currently open tab to detect when you are on a login page.
Technical: Accesses chrome.tabs.query and chrome.runtime.sendMessage. Scope is limited to the active tab, reducing risk compared to <all_urls>.
Your Data
The extension communicates with several external domains including its own server (pass.pears.com) and various third-party sites like W3C, Redux, React, Google Docs, and Slack. It appears to fetch resources from these domains, potentially loading scripts or content that could be intercepted if not properly encrypted.
Technical Details
Code Findings
The extension uses techniques to hide its code, making it harder for average users or security researchers to inspect what the software is actually doing.
Technical: Analysis detected usage of String.fromCharCode and charCodeAt patterns. These are commonly used to encode strings into Unicode escape sequences (e.g., '\u0041') to bypass simple static analysis tools and hide logic from casual inspection.
💡 Developers often obfuscate code to protect intellectual property or prevent easy reverse-engineering of their algorithms.
The extension creates and runs new scripts on web pages dynamically. This can be used to inject malicious code if the extension itself is compromised.
Technical: Code behavior indicates dynamic creation of <script> elements. This bypasses standard CSP restrictions that block inline scripts, allowing the extension to execute arbitrary JavaScript in the context of any visited page.
💡 Used for injecting UI overlays or modifying DOM elements to enhance user experience.
The extension has the ability to capture keystrokes. While necessary for a password manager, this is the highest risk feature if the code is tampered with.
Technical: Behavioral analysis indicates 'Captures keystrokes'. In a legitimate password manager, this is used to detect when a user types a password so it can be saved or masked. However, combined with clipboardRead and dynamic script injection, this creates a potent vector for keylogging if the nativeMessaging host is compromised.
💡 Essential for auto-filling passwords and detecting active typing sessions.
The code might contain hidden secrets or API keys that are visible if someone inspects the source files.
Technical: Static analysis flagged 'Potential hardcoded secret'. This could be an internal API key, a debug token, or a signing key embedded directly in the JavaScript bundle.
💡 Sometimes used for internal debugging or connecting to staging environments.
The extension does not enforce strict security rules on which scripts can run, making it more vulnerable to attacks from malicious websites.
Technical: Manifest inspection shows 'Content Security Policy: not set'. Without a CSP header or manifest setting, the browser allows any script loaded by the page (including those injected by the extension) to execute.
💡 Extensions often omit CSP for simplicity or because they rely on dynamic injection which conflicts with strict CSPs.
The extension connects to many unrelated websites like Slack, Google Docs, and React documentation sites.
Technical: Network activity logs show requests to hooks.slack.com, docs.google.com, react.dev, etc. These are likely used for fetching library dependencies (e.g., Redux Toolkit) or updating internal documentation links, but the lack of a specific manifest scope for these domains is unusual.
💡 Fetching external libraries or checking for updates from official repositories.
Pearpass presents a mixed security profile. While it performs standard password manager functions, the combination of code obfuscation, dynamic script injection, and a lack of Content Security Policy significantly elevates its risk profile. The critical finding regarding keystroke capture is inherent to the function but becomes dangerous when paired with the other weaknesses. Users should exercise caution, particularly if they are not comfortable inspecting the source code or if the extension requires installing additional desktop components via nativeMessaging.
