Pie Adblock A Powerful Fr
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Blocks ads and pop-ups, YouTube and Twitch video ads, allowing you to customize your ad experience with Pie Adblock. Suitable for users who want to minimize distractions while browsing online, this extension is particularly beneficial for those frequenting YouTube and Twitch platforms. By using Pie Adblock, you can enjoy a more streamlined viewing experience.
Overview
Pie is a completely free ad blocker that blocks pre-roll ads on YouTube, mid-roll ads on Twitch, pop-ups, banners, and more. Reclaim your online experience and watch ads disappear in real-time!
Here is how it works:
📺 YouTube & Twitch Adblock — Say goodbye to ads on streaming services! Our team of real humans are always working to block video ads that slip past other ad blockers.
🔒 Privacy + Security — Your data is only used to power Pie features—never sold or monetized. We prioritize trust and transparency. Read our full privacy commitment at www.pie.org/privacy
🛑 Advanced Features — Enjoy all advanced adblocker features at no cost to you: robust ad-blocking methods, enhanced popup suppression, plus more.
🎉 Visual Mode — See the power of our ad blocking technology in action as ads are zapped away.
🗽 Made in LA/NY
🥧 Growing The Pie Together — Pie isn’t just an ad blocker; it’s an experiment to see what happens when people have more control of their internet experience.
Add Pie with just a couple clicks and start blocking ads immediately.
Terms apply and may be viewed at www.pie.org/terms
--------
➤ Changelogs:
[March 2025] We’ve introduced a new feature that detects when multiple ad blockers or related extensions are installed, as using several at once can negatively impact effective ad blocking. Users now have the option to easily disable conflicting extensions directly within Pie Adblock. This helps ensure optimal ad blocking efficiency, reduces ad block detection, and creates a smoother browsing experience. Read more in pie.org/privacy
[February 2025] Released new ways to support your favorite creators on YouTube and Twitch. Our new video overlay shows you when Pie's YouTube & Twitch ad blocker is actively working to block ads and gives you more control over your ad experience.
[January 2025] Added support for new Fair Ads sites
[October 2024] Twitch stats: ads blocked, time saved, and more!
[September 2024] Improvements to Manifest V3 (MV3) ad-blocking and filters
[August 2024] First fully featured version. Block distractions like ads, video ads like pre-rolls and mid-rolls, floating videos, pop-ups, cookie banners, and more.
~~~~~~~
Need a replacement for uBlock Origin? Pie is an efficient, fully MV3 compatible ad blocker that will block ads on YouTube, Twitch, and more!
Ready to get started? Click “Add to Chrome” at the top of this page and start blocking ads in just a couple of clicks!
Tags
Privacy Practices
✓
Not being sold to third parties, outside of the approved use cases
✓
Not being used or transferred for purposes that are unrelated to the item's core functionality
✓
Not being used or transferred to determine creditworthiness or for lending purposes
Security Analysis — Pie Adblock A Powerful Fr
Permissions
Code Patterns Detected
External Connections
Package Contents 310 files · 53.4MB
▾_locales124KB
▾de26KB
messages.json26KB
▾en73KB
messages.json73KB
▾en-GB24KB
messages.json24KB
▾_metadata40KB
verified_contents.json40KB
▾adblock-rulesets41.6MB
▾annoyances-cookies361KB
annoyances-cookies.json361KB
▾chrome-only37.8MB
admiral.json360KB
default-oisd-big.json37.4MB
▾included-filters1.6MB
easylist.txt1.6MB
pie_local.txt0B
▾main150KB
affiliate-allowlist.json7KB
default-pie-domain.json2KB
ubo-redirect.json140KB
▾remote-filters1.7MB
default-pie-custom.json98KB
filter-versions.json106B
pie_custom.txt49KB
ublock-fixes.txt1.5MB
▾assets1.3MB
▾icons40KB
▾active7KB
icon128.png4KB
icon16.png518B
icon32.png1KB
icon48.png2KB
▾adblock20KB
▾active7KB
icon128.png4KB
icon16.png518B
icon32.png1KB
icon48.png2KB
▾inactive13KB
icon128-sepia.png3KB
icon128.png4KB
icon16-sepia.png309B
icon16.png591B
icon32-sepia.png751B
icon32.png1KB
icon48-sepia.png1KB
icon48.png2KB
▾inactive13KB
icon128-sepia.png3KB
icon128.png4KB
icon16-sepia.png309B
icon16.png591B
icon32-sepia.png751B
icon32.png1KB
icon48-sepia.png1KB
icon48.png2KB
▾internalSettings4KB
internalSettings.html4KB
▾page
suppressAlert.js39B
suppressConfirm.js41B
suppressPrompt.js40B
▾scripts48KB
twitch-vaft-userscript-v2.js48KB
▾tac577KB
abercrombie.js10KB
acehardware.js2KB
ae.js2KB
aeropostale.js2KB
airportparkingreservations.js2KB
allmodern.js2KB
amazon.js2KB
ashleyfurniturehomestore.js2KB
asos-au.js2KB
asos-com.js2KB
asos-de.js2KB
asos-fr.js2KB
asos-it.js2KB
asos.js2KB
athleta-canada.js2KB
athleta.js2KB
banana-republic-canada.js2KB
banana-republic.js2KB
banggood.js3KB
barkbox-superchewer.js2KB
barkbox.js2KB
barnesandnoble.js2KB
basspro.js3KB
bathandbodyworks.js2KB
belk.js2KB
bigcommerce-framework.js5KB
biglots.js2KB
birchlane.js2KB
birkenstock.js2KB
bloomingdales.js2KB
bonobos.js2KB
boohoo-au.js3KB
boohoo-ca.js3KB
boohoo-de.js3KB
boohoo-fr.js3KB
boohoo-ie.js3KB
boohoo.js3KB
boohooman-au.js3KB
boohooman-de.js3KB
boohooman-ie.js3KB
boohooman-nl.js3KB
boohooman-uk.js3KB
boohooman.js3KB
buyagift-uk.js1KB
cabelas-ca.js2KB
cabelas.js3KB
carid.js2KB
cartcomframework.js2KB
catfootwear.js3KB
catherines.js5KB
chacos.js3KB
chewy.js4KB
coles-au.js3KB
cos-eu.js2KB
cos-fr.js2KB
cos-se.js2KB
cos-uk.js2KB
cos.js2KB
cosstores.js2KB
cvs.js2KB
dickssportinggoods.js2KB
doordash.js9KB
dsw.js2KB
dummy-store-dac.js1KB
ebay-au.js2KB
ebay-ca.js2KB
ebay-de.js2KB
ebay-es.js2KB
ebay-fr.js2KB
ebay-it.js2KB
ebay-nl.js2KB
ebay-uk.js2KB
ebay.js2KB
elfcosmetics.js3KB
expedia.js3KB
farfetch-au.js3KB
farfetch-ca.js3KB
farfetch-ch.js3KB
farfetch-de.js3KB
farfetch-nl.js3KB
farfetch-uk.js3KB
farfetch.js3KB
fitflop.js2KB
forever21.js3KB
g2a-de.js2KB
g2a-es.js2KB
g2a.js2KB
ganni-au.js3KB
ganni-ca.js3KB
ganni-uk.js3KB
ganni.js3KB
gap-canada.js2KB
gap-com.js2KB
gap.js2KB
gapcanada-ca.js2KB
godaddy.js2KB
hammacher.js2KB
harley-davidson.js2KB
hollisterco.js10KB
homedepot.js2KB
hp.js5KB
jack-jones-ca.js2KB
jackjones-de.js2KB
jackjones.js2KB
jackjonesus.js2KB
jcpenney.js3KB
jcrew.js3KB
jossandmain.js2KB
kohls.js1KB
lands-end-business-outfitters.js2KB
landsend.js2KB
lenovo-au.js2KB
lenovo-ca.js2KB
lenovo-de.js2KB
lenovo-in.js2KB
lenovo-sg.js2KB
lenovo-uk.js2KB
lenovo.js2KB
llbean-ca.js4KB
llbean.js2KB
loccitane-au.js3KB
loccitane-ca.js3KB
loccitane-uk.js3KB
loccitane.js3KB
loft.js2KB
lowes.js3KB
lulus.js2KB
macys.js3KB
madewell.js2KB
magento-framework.js4KB
marshalls.js3KB
merrell.js3KB
mockstoreturboapply.js1KB
mytheresa-au.js13KB
mytheresa-ca.js13KB
mytheresa-es.js13KB
mytheresa-uk.js13KB
mytheresa.js13KB
neimanmarcus.js3KB
newegg.js3KB
officedepot.js4KB
orbitz.js4KB
pacsun.js3KB
papajohns.js2KB
petco.js2KB
petsmart.js2KB
prestashop-framework.js3KB
prettylittlething-au.js4KB
prettylittlething-ca.js4KB
prettylittlething-fr.js4KB
prettylittlething-ie.js4KB
prettylittlething-us.js4KB
prettylittlething.js4KB
puritan.js1KB
redbubble-germany.js9KB
redbubble.js9KB
revolve.js2KB
revolveclothing-au.js2KB
saksfifthavenue.js2KB
samsung.js2KB
saucony.js3KB
sephora.js2KB
shopify-pay.js9KB
shopify.js8KB
shutterstock.js2KB
sierra.js2KB
spacenk-com.js3KB
spacenk-eu.js3KB
spacenk-ie.js3KB
spacenk.js3KB
staples.js2KB
target.js3KB
tjx.js3KB
ulta.js5KB
uniqlo-es.js3KB
uniqlo-it.js3KB
uniqlo-uk.js3KB
us-boohoo.js3KB
vimeo.js3KB
vitacost.js3KB
walgreens-photo.js2KB
walgreens.js2KB
wayfair-ca.js2KB
wayfair-de.js2KB
wayfair-uk.js2KB
wayfair.js2KB
westerndigital.js3KB
wish.js2KB
wolverine.js3KB
woocommerce-framework.js2KB
worldmarket.js3KB
zazzle-au.js3KB
zazzle-ca.js3KB
zazzle-uk.js3KB
zazzle.js3KB
merchantDomains.json690KB
▾remote-static-json4KB
adblock-graceful-fail-messaging.json4KB
▾web_accessible_resources26KB
1x1.gif43B
2x2.png68B
32x32.png83B
amazon-apstag.js315B
amazon_ads.js753B
amazon_apstag.js315B
chartbeat.js185B
click2load.html960B
doubleclick_instream_ad_status.js26B
empty0B
fingerprint2.js442B
google-analytics_analytics.js1KB
google-analytics_cx_api.js190B
google-analytics_ga.js2KB
google-ima.js8KB
googlesyndication_adsbygoogle.js650B
googletagservices_gpt.js2KB
hd-main.js1015B
nobab2.js285B
noeval-silent.js84B
nofab.js1KB
noop copy.txt1B
noop-0.1s.mp3813B
noop-1s.mp44KB
noop-vmap1.0.xml86B
noop.css6B
noop.html82B
noop.js0B
noop.txt0B
outbrain-widget.js701B
popads.js434B
scorecardresearch_beacon.js104B
92.js427B
adblock.js1.2MBlarge
adblock.js.LICENSE.txt2KB
background.js1.4MBlarge
background.js.LICENSE.txt917B
background.js.map42KB
chatGPT.js767KBlarge
chatGPT.js.LICENSE.txt2KB
contentAdblockEmbeddedUI.js671KBlarge
contentAdblockEmbeddedUI.js.LICENSE.txt1KB
contentAdblockUI.js722KBlarge
contentAdblockUI.js.LICENSE.txt1KB
contentAdblockVideoPlayerUI.js743KBlarge
contentAdblockVideoPlayerUI.js.LICENSE.txt1KB
contentCheckAdblock.js21KB
contentDetectAds.js260KBlarge
contentDetectTwitchAds.js210KBlarge
contentDetectUnblock.js653B
contentDetectYoutubeAds.js212KBlarge
contentDetectYoutubeError.js214KBlarge
contentExecuteYoutubeScriptlets.js612KBlarge
contentScriptStarted.js210KBlarge
contentUnblockAds.js40KB
contentUnblockAds.js.LICENSE.txt237B
internalSettings.js215KBlarge
manifest.json6KB
notification.js1.2MBlarge
notification.js.LICENSE.txt2KB
offscreen.html123B
offscreen.js789KBlarge
offscreen.js.LICENSE.txt147KB
options.html1KB
options.js24KB
popover.html866B
popover.js771KBlarge
popover.js.LICENSE.txt1KB
Here is the comprehensive security report in JSON format:
```json
{
"summary": "Pie Adblock is a free ad blocker that blocks ads, pop-ups, YouTube & Twitch video ads. It's designed to help users reclaim their online experience and watch ads disappear in real-time.",
"permissions": [
{
"name": "alarms",
"user_explanation": "Allows the extension to schedule notifications or reminders.",
"technical_note": "Accesses Chrome's alarm API, enabling scheduling of notifications or reminders. Potential attack surface: unauthorized access to user's calendar or notification system.",
"aligned": true,
"concern": false
},
{
"name": "cookies",
"user_explanation": "Lets the extension read and write cookies on websites you visit.",
"technical_note": "Accesses Chrome's cookie API, enabling reading and writing of cookies. Potential attack surface: unauthorized access to user's session data or tracking cookies.",
"aligned": true,
"concern": true
},
{
"name": "tabs",
"user_explanation": "Allows the extension to read and modify tabs you have open.",
"technical_note": "Accesses Chrome's tab API, enabling reading and modifying of tabs. Potential attack surface: unauthorized access to user's browsing history or current session data.",
"aligned": true,
"concern": false
},
{
"name": "storage",
"user_explanation": "Lets the extension read and write data in Chrome's storage.",
"technical_note": "Accesses Chrome's storage API, enabling reading and writing of data. Potential attack surface: unauthorized access to user's stored credentials or sensitive information.",
"aligned": true,
"concern": false
},
{
"name": "scripting",
"user_explanation": "Allows the extension to run scripts on web pages you visit.",
"technical_note": "Accesses Chrome's content script API, enabling execution of scripts. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": true,
"concern": false
},
{
"name": "webNavigation",
"user_explanation": "Lets the extension observe and modify web page navigation.",
"technical_note": "Accesses Chrome's web navigation API, enabling observation and modification of web page navigation. Potential attack surface: unauthorized access to user's browsing history or current session data.",
"aligned": true,
"concern": false
},
{
"name": "unlimitedStorage",
"user_explanation": "Allows the extension to store an unlimited amount of data in Chrome's storage.",
"technical_note": "Accesses Chrome's storage API with unlimited storage quota, enabling storage of large amounts of data. Potential attack surface: unauthorized access to user's stored credentials or sensitive information.",
"aligned": true,
"concern": false
},
{
"name": "declarativeNetRequestWithHostAccess",
"user_explanation": "Lets the extension make requests to web pages you visit, with host access.",
"technical_note": "Accesses Chrome's declarative net request API with host access, enabling making of requests. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": true,
"concern": false
},
{
"name": "declarativeNetRequestFeedback",
"user_explanation": "Allows the extension to receive feedback on its network requests.",
"technical_note": "Accesses Chrome's declarative net request API with feedback, enabling receipt of feedback. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": true,
"concern": false
},
{
"name": "webRequest",
"user_explanation": "Lets the extension observe and modify web page requests.",
"technical_note": "Accesses Chrome's web request API, enabling observation and modification of web page requests. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": true,
"concern": true
},
{
"name": "management",
"user_explanation": "Allows the extension to manage other extensions installed in Chrome.",
"technical_note": "Accesses Chrome's management API, enabling management of other extensions. Potential attack surface: unauthorized access to user's installed extensions or injection of malicious code.",
"aligned": true,
"concern": false
},
{
"name": "offscreen",
"user_explanation": "Lets the extension run in the background even when you're not using Chrome.",
"technical_note": "Accesses Chrome's off-screen API, enabling running of the extension in the background. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": true,
"concern": false
},
{
"name": "<all_urls>",
"user_explanation": "Allows the extension to access all web pages you visit, including those with sensitive information.",
"technical_note": "Accesses Chrome's content script API with <all_urls> permission, enabling access to all web pages. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": false,
"concern": true
}
],
"data_exposure": {
"summary": "Pie Adblock accesses cookies, tabs, storage, and makes requests to various domains, including some with sensitive information. It also uses the Fetch API and XHR requests.",
"technical": "Exact domains contacted: www.w3.org, github.com, help.pie.org, secure-gateway.farfetch.com, openapi.lenovo.com, www.boohooman.com, www.pie.org, api.mytheresa.com, cdn.pie.org, reactjs.org, fonts.googleapis.com. Protocols used: HTTP, HTTPS. Data types accessed: cookies, tokens, page content."
},
"findings": [
{
"title": "eval() used",
"severity": "high",
"user_explanation": "The extension uses eval(), which can execute arbitrary code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: injection of malicious code. Exploit scenario: an attacker could inject malicious code into the extension's eval() function, potentially leading to unauthorized access or data theft.",
"legitimate_use": "eval() is commonly used in legitimate extensions for dynamic code execution.",
"concern": true
},
{
"title": "Function constructor used",
"severity": "high",
"user_explanation": "The extension uses the Function constructor, which can execute arbitrary code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: injection of malicious code. Exploit scenario: an attacker could inject malicious code into the extension's Function constructor, potentially leading to unauthorized access or data theft.",
"legitimate_use": "The Function constructor is commonly used in legitimate extensions for dynamic code execution.",
"concern": true
},
{
"title": "String.fromCharCode (obfuscation)",
"severity": "medium",
"user_explanation": "The extension uses String.fromCharCode, which can be used to obfuscate code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: code obfuscation. Exploit scenario: an attacker could use this technique to make the extension's code harder to analyze or debug.",
"legitimate_use": "String.fromCharCode is commonly used in legitimate extensions for encoding or decoding data.",
"concern": false
},
{
"title": "charCodeAt (obfuscation)",
"severity": "medium",
"user_explanation": "The extension uses charCodeAt, which can be used to obfuscate code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: code obfuscation. Exploit scenario: an attacker could use this technique to make the extension's code harder to analyze or debug.",
"legitimate_use": "charCodeAt is commonly used in legitimate extensions for encoding or decoding data.",
"concern": false
},
{
"title": "Makes XHR requests",
"severity": "info",
"user_explanation": "The extension makes XHR requests to various domains.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: unauthorized access to user's browsing data or injection of malicious code. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's XHR requests.",
"legitimate_use": "XHR requests are commonly used in legitimate extensions for making asynchronous requests to web servers.",
"concern": false
},
{
"title": "Uses Fetch API",
"severity": "info",
"user_explanation": "The extension uses the Fetch API to make requests to various domains.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: unauthorized access to user's browsing data or injection of malicious code. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's Fetch API requests.",
"legitimate_use": "The Fetch API is commonly used in legitimate extensions for making asynchronous requests to web servers.",
"concern": false
},
{
"title": "Creates script elements dynamically",
"severity": "high",
"user_explanation": "The extension creates script elements dynamically, which can be used to inject malicious code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: injection of malicious code. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's dynamically created script elements.",
"legitimate_use": "Creating script elements dynamically is commonly used in legitimate extensions for dynamic content loading or updating.",
"concern": true
},
{
"title": "Reads browser storage",
"severity": "medium",
"user_explanation": "The extension reads data from Chrome's storage.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: unauthorized access to user's stored credentials or sensitive information. Exploit scenario: an attacker could use this technique to steal user's stored credentials or sensitive information.",
"legitimate_use": "Reading browser storage is commonly used in legitimate extensions for storing and retrieving data.",
"concern": true
},
{
"title": "Writes to browser storage",
"severity": "medium",
"user_explanation": "The extension writes data to Chrome's storage.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: unauthorized access to user's stored credentials or sensitive information. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's written data.",
"legitimate_use": "Writing to browser storage is commonly used in legitimate extensions for storing and retrieving data.",
"concern": true
},
{
"title": "Potential hardcoded secret",
"severity": "medium",
"user_explanation": "The extension contains a potential hardcoded secret, which could be used by an attacker to gain unauthorized access.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: unauthorized access to user's browsing data or injection of malicious code. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's hardcoded secret.",
"legitimate_use": "Hardcoded secrets are commonly used in legitimate extensions for authentication or authorization purposes.",
"concern": true
},
{
"title": "Creates iframe elements",
"severity": "medium",
"user_explanation": "The extension creates iframe elements, which can be used to inject malicious code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: injection of malicious code. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's created iframes.",
"legitimate_use": "Creating iframe elements is commonly used in legitimate extensions for dynamic content loading or updating.",
"concern": true
}
],
"verdict": {
"security_risk": "high",
"recommendation": "The extension has a high security risk due to its use of eval(), Function constructor, and potential hardcoded secret. It is recommended that the developer address these issues to improve the extension's security."
}
}
```json
{
"summary": "Pie Adblock is a free ad blocker that blocks ads, pop-ups, YouTube & Twitch video ads. It's designed to help users reclaim their online experience and watch ads disappear in real-time.",
"permissions": [
{
"name": "alarms",
"user_explanation": "Allows the extension to schedule notifications or reminders.",
"technical_note": "Accesses Chrome's alarm API, enabling scheduling of notifications or reminders. Potential attack surface: unauthorized access to user's calendar or notification system.",
"aligned": true,
"concern": false
},
{
"name": "cookies",
"user_explanation": "Lets the extension read and write cookies on websites you visit.",
"technical_note": "Accesses Chrome's cookie API, enabling reading and writing of cookies. Potential attack surface: unauthorized access to user's session data or tracking cookies.",
"aligned": true,
"concern": true
},
{
"name": "tabs",
"user_explanation": "Allows the extension to read and modify tabs you have open.",
"technical_note": "Accesses Chrome's tab API, enabling reading and modifying of tabs. Potential attack surface: unauthorized access to user's browsing history or current session data.",
"aligned": true,
"concern": false
},
{
"name": "storage",
"user_explanation": "Lets the extension read and write data in Chrome's storage.",
"technical_note": "Accesses Chrome's storage API, enabling reading and writing of data. Potential attack surface: unauthorized access to user's stored credentials or sensitive information.",
"aligned": true,
"concern": false
},
{
"name": "scripting",
"user_explanation": "Allows the extension to run scripts on web pages you visit.",
"technical_note": "Accesses Chrome's content script API, enabling execution of scripts. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": true,
"concern": false
},
{
"name": "webNavigation",
"user_explanation": "Lets the extension observe and modify web page navigation.",
"technical_note": "Accesses Chrome's web navigation API, enabling observation and modification of web page navigation. Potential attack surface: unauthorized access to user's browsing history or current session data.",
"aligned": true,
"concern": false
},
{
"name": "unlimitedStorage",
"user_explanation": "Allows the extension to store an unlimited amount of data in Chrome's storage.",
"technical_note": "Accesses Chrome's storage API with unlimited storage quota, enabling storage of large amounts of data. Potential attack surface: unauthorized access to user's stored credentials or sensitive information.",
"aligned": true,
"concern": false
},
{
"name": "declarativeNetRequestWithHostAccess",
"user_explanation": "Lets the extension make requests to web pages you visit, with host access.",
"technical_note": "Accesses Chrome's declarative net request API with host access, enabling making of requests. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": true,
"concern": false
},
{
"name": "declarativeNetRequestFeedback",
"user_explanation": "Allows the extension to receive feedback on its network requests.",
"technical_note": "Accesses Chrome's declarative net request API with feedback, enabling receipt of feedback. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": true,
"concern": false
},
{
"name": "webRequest",
"user_explanation": "Lets the extension observe and modify web page requests.",
"technical_note": "Accesses Chrome's web request API, enabling observation and modification of web page requests. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": true,
"concern": true
},
{
"name": "management",
"user_explanation": "Allows the extension to manage other extensions installed in Chrome.",
"technical_note": "Accesses Chrome's management API, enabling management of other extensions. Potential attack surface: unauthorized access to user's installed extensions or injection of malicious code.",
"aligned": true,
"concern": false
},
{
"name": "offscreen",
"user_explanation": "Lets the extension run in the background even when you're not using Chrome.",
"technical_note": "Accesses Chrome's off-screen API, enabling running of the extension in the background. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": true,
"concern": false
},
{
"name": "<all_urls>",
"user_explanation": "Allows the extension to access all web pages you visit, including those with sensitive information.",
"technical_note": "Accesses Chrome's content script API with <all_urls> permission, enabling access to all web pages. Potential attack surface: unauthorized access to user's browsing data or injection of malicious code.",
"aligned": false,
"concern": true
}
],
"data_exposure": {
"summary": "Pie Adblock accesses cookies, tabs, storage, and makes requests to various domains, including some with sensitive information. It also uses the Fetch API and XHR requests.",
"technical": "Exact domains contacted: www.w3.org, github.com, help.pie.org, secure-gateway.farfetch.com, openapi.lenovo.com, www.boohooman.com, www.pie.org, api.mytheresa.com, cdn.pie.org, reactjs.org, fonts.googleapis.com. Protocols used: HTTP, HTTPS. Data types accessed: cookies, tokens, page content."
},
"findings": [
{
"title": "eval() used",
"severity": "high",
"user_explanation": "The extension uses eval(), which can execute arbitrary code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: injection of malicious code. Exploit scenario: an attacker could inject malicious code into the extension's eval() function, potentially leading to unauthorized access or data theft.",
"legitimate_use": "eval() is commonly used in legitimate extensions for dynamic code execution.",
"concern": true
},
{
"title": "Function constructor used",
"severity": "high",
"user_explanation": "The extension uses the Function constructor, which can execute arbitrary code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: injection of malicious code. Exploit scenario: an attacker could inject malicious code into the extension's Function constructor, potentially leading to unauthorized access or data theft.",
"legitimate_use": "The Function constructor is commonly used in legitimate extensions for dynamic code execution.",
"concern": true
},
{
"title": "String.fromCharCode (obfuscation)",
"severity": "medium",
"user_explanation": "The extension uses String.fromCharCode, which can be used to obfuscate code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: code obfuscation. Exploit scenario: an attacker could use this technique to make the extension's code harder to analyze or debug.",
"legitimate_use": "String.fromCharCode is commonly used in legitimate extensions for encoding or decoding data.",
"concern": false
},
{
"title": "charCodeAt (obfuscation)",
"severity": "medium",
"user_explanation": "The extension uses charCodeAt, which can be used to obfuscate code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: code obfuscation. Exploit scenario: an attacker could use this technique to make the extension's code harder to analyze or debug.",
"legitimate_use": "charCodeAt is commonly used in legitimate extensions for encoding or decoding data.",
"concern": false
},
{
"title": "Makes XHR requests",
"severity": "info",
"user_explanation": "The extension makes XHR requests to various domains.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: unauthorized access to user's browsing data or injection of malicious code. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's XHR requests.",
"legitimate_use": "XHR requests are commonly used in legitimate extensions for making asynchronous requests to web servers.",
"concern": false
},
{
"title": "Uses Fetch API",
"severity": "info",
"user_explanation": "The extension uses the Fetch API to make requests to various domains.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: unauthorized access to user's browsing data or injection of malicious code. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's Fetch API requests.",
"legitimate_use": "The Fetch API is commonly used in legitimate extensions for making asynchronous requests to web servers.",
"concern": false
},
{
"title": "Creates script elements dynamically",
"severity": "high",
"user_explanation": "The extension creates script elements dynamically, which can be used to inject malicious code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: injection of malicious code. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's dynamically created script elements.",
"legitimate_use": "Creating script elements dynamically is commonly used in legitimate extensions for dynamic content loading or updating.",
"concern": true
},
{
"title": "Reads browser storage",
"severity": "medium",
"user_explanation": "The extension reads data from Chrome's storage.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: unauthorized access to user's stored credentials or sensitive information. Exploit scenario: an attacker could use this technique to steal user's stored credentials or sensitive information.",
"legitimate_use": "Reading browser storage is commonly used in legitimate extensions for storing and retrieving data.",
"concern": true
},
{
"title": "Writes to browser storage",
"severity": "medium",
"user_explanation": "The extension writes data to Chrome's storage.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: unauthorized access to user's stored credentials or sensitive information. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's written data.",
"legitimate_use": "Writing to browser storage is commonly used in legitimate extensions for storing and retrieving data.",
"concern": true
},
{
"title": "Potential hardcoded secret",
"severity": "medium",
"user_explanation": "The extension contains a potential hardcoded secret, which could be used by an attacker to gain unauthorized access.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: unauthorized access to user's browsing data or injection of malicious code. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's hardcoded secret.",
"legitimate_use": "Hardcoded secrets are commonly used in legitimate extensions for authentication or authorization purposes.",
"concern": true
},
{
"title": "Creates iframe elements",
"severity": "medium",
"user_explanation": "The extension creates iframe elements, which can be used to inject malicious code.",
"technical_detail": "File location: /path/to/extension/script.js. Risk vector: injection of malicious code. Exploit scenario: an attacker could use this technique to inject malicious code into the extension's created iframes.",
"legitimate_use": "Creating iframe elements is commonly used in legitimate extensions for dynamic content loading or updating.",
"concern": true
}
],
"verdict": {
"security_risk": "high",
"recommendation": "The extension has a high security risk due to its use of eval(), Function constructor, and potential hardcoded secret. It is recommended that the developer address these issues to improve the extension's security."
}
}
Similar Extensions
More in Productivity/tools →
Easy-to-use PDF tools to view, edit, convert, fill, e-sign PDF files, and more in your browser.
Save references to Zotero from your web browser
Browsec VPN is a Chrome VPN extension that protects your IP from Internet threats and lets you browse privately for free…