Rewarded Interest Free Co
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Finally, no more annoying cookie popups. Rewarded Interest autocompletes them based on your preferences while keeping you in control of your privacy.
► Add Rewarded Interest to Chrome to access these free privacy and consent automation features:
✔︎ Avoid cookie popups and get to content faster
✔︎ Block trackers and choose which advertisers (if any at all!) you will allow to track or build profiles about you
✔︎ Enjoy granular control over what companies can do with your data
✔︎ See a history of your consent for each site you go to and change consent choices anytime you want
✔︎ Supports the Global Privacy Control (GPC) to block the sale or use of data
Cookie fatigue is real. The consent popups are cumbersome, and people tend just to click ‘accept’ or ‘reject’ to get to content quickly. Now you can choose your preferences once, and this extension will automatically apply them for you.
We allow you to opt in or out of any data uses. Set your preferences for all sites or choose based on a specific site. It’s up to you!
We don't collect or sell your data. In the future you can earn Rewards if and when you choose to share your anonymous ID. When our userbase reaches scale, and if you have chosen to opt in to personalized advertising, you will begin to receive your share of the cost to show those to you ads as Rewards. If you do not wish to allow ads to be targeted to you, sharing of the Rewarded Interest ID can be turned off at any time.
We prioritize user privacy and security, ensuring your browsing history and personal information remain private. When using this extension, you agree to our Terms of Service: https://www.rewardedinterest.com/tos.
Please note: When installing Rewarded Interest, you will receive a warning that the extension can “read and change all of your data on all websites”. This is a standard message - you see this because we modify websites you visit to remove the dialogs and pass along your consent.
Rewarded Interest is currently available for Chrome desktop and some Chromium-based browsers. Mobile Safari coming soon!
Tags
Privacy Practices
Security Analysis — Rewarded Interest Free Co
Permissions
Code Patterns Detected
External Connections
Package Contents 37 files · 36MB
What This Extension Does
Rewarded Interest A Bette is a privacy-focused browser extension designed to block trackers, prevent cookie popups, and streamline the browsing experience by allowing users to jump directly to content. It operates using Manifest V3 with a background service worker and injects scripts into all web pages to intercept network requests and modify DOM elements. While its stated purpose aligns with user privacy needs, the combination of broad permissions like <all_urls> and webRequest interception requires careful scrutiny regarding data handling and potential side effects.
Permissions Explained
- tabsexpected: Allows the extension to see information about all tabs on your computer, such as their titles and URLs, which is necessary for managing popups or blocking trackers.
Technical: Accesses chrome.tabs API. Enables reading tab metadata (title, url, id) and triggering events like 'onUpdated' or 'onActivated'. Risk: Can be used to track browsing habits across sessions if combined with other data sources. - storageexpected: Lets the extension save settings and user preferences locally on your device so they persist after you close the browser.
Technical: Uses chrome.storage.sync or chrome.storage.local APIs. Data is stored in encrypted local storage (if sync) or unencrypted local files. Risk: Low, as this data is generally not transmitted to external servers unless explicitly coded to do so. - unlimitedStorageexpected: Permits the extension to use more than 10MB of local storage space, useful for caching large lists of blocked trackers or storing complex filter rules.
Technical: Bypasses the default 10MB limit on chrome.storage.local. Risk: Minimal in isolation, but increases the attack surface if the extension is compromised, as an attacker could exfiltrate larger amounts of cached data. - declarativeNetRequestexpected: Enables the extension to block or redirect specific network requests (like ads or trackers) without needing to modify every page's code.
Technical: Uses Manifest V3's declarative API to define filter rules. This is a safer, more efficient replacement for the deprecated webRequest blocking in MV2. Risk: Low; rules are static and cannot be dynamically changed by malicious code at runtime. - webRequestexpected: Allows the extension to observe network requests made by websites, which is essential for blocking trackers and modifying how pages load.
Technical: Hooks into chrome.webRequest API on specific events (onBeforeRequest, onHeadersReceived). Risk: HIGH. Can intercept all HTTP/HTTPS traffic. If compromised, could theoretically read request bodies or modify headers. Note: In MV3, this is often restricted to <all_urls> only for blocking, but still grants broad visibility. ⚠ 1 - scriptingexpected: Gives the extension the ability to inject JavaScript into web pages to run custom code that blocks popups or modifies content.
Technical: Accesses chrome.scripting APIs (inject, execute). Risk: MEDIUM. Allows execution of arbitrary code in the context of any website. If the injected code is flawed or compromised, it could lead to XSS-like vulnerabilities within the extension's scope. - alarmsexpected: Enables the background service worker to wake up periodically to check for updates or refresh blocking rules without user interaction.
Technical: Uses chrome.alarms API to schedule periodic events (e.g., every 5 minutes). Risk: Low; primarily used for maintenance tasks. Does not inherently grant access to data unless combined with other permissions. - <all_urls>check this: Grants the extension permission to operate on every website you visit, which is required for a global tracker blocker but significantly expands its reach.
Technical: The most critical permission. Allows injection and network interception on any domain (http://*, https://*). Risk: CRITICAL. If the extension contains vulnerabilities or malicious code, it can execute on banking sites, email clients, etc., potentially stealing credentials or session tokens. ⚠ 1
Your Data
The extension communicates with various third-party domains including ad networks (richaudience.com), UI libraries (radix-ui.com, reactjs.org), and package registries (npms.io). While these are likely legitimate dependencies for the extension's functionality, they represent potential vectors for data leakage if the extension inadvertently sends user browsing data or cookies to these services.
Technical Details
Code Findings
The extension injects code into every single website you visit. This means it has full access to the content of any page, which is necessary for its function but increases the risk if the extension itself gets hacked.
Technical: Code pattern: Content script injection set to '<all_urls>'. Risk vector: If a vulnerability exists in the injected code (e.g., an XSS flaw), an attacker could potentially execute arbitrary code on any site. Exploit scenario: An attacker exploits a bug in the extension's logic, gains control of the content script context, and attempts to exfiltrate data from high-value targets like email or banking sites.
💡 Essential for tracker blocking and popup removal; requires visibility into all page contexts to identify and neutralize unwanted elements.
The extension uses code obfuscation (like charCodeAt) to hide its logic. While common, this makes it harder for users or security researchers to verify exactly what the code is doing.
Technical: Code pattern: Usage of charCodeAt and similar methods to encode strings or control flow. File location: Likely within bundled JS files. Risk vector: Obfuscation can be used to hide malicious payloads or anti-debugging techniques. Exploit scenario: An analyst cannot easily audit the code, making it difficult to detect hidden data exfiltration routines.
💡 Common practice to reduce file size and prevent casual reverse engineering of proprietary logic.
The extension uses a standard method (postMessage) to talk to other websites. This is generally safe but requires trust that the receiving site won't misuse the message.
Technical: Code pattern: window.postMessage() calls. Risk vector: If not properly validated, could lead to Cross-Site Scripting (XSS) if a malicious site sends a crafted message. Exploit scenario: An attacker on a compromised site sends a message that triggers an error or unintended behavior in the extension's content script.
💡 Standard mechanism for extensions to interact with web pages and other extensions across different origins.
The extension creates new window frames (iframes) on websites. This is often done to isolate blocked content or display replacement ads, but it alters the page structure.
Technical: Code pattern: document.createElement('iframe'). Risk vector: Can be used to host malicious content if the source of the iframe is not strictly controlled. Exploit scenario: If the extension logic fails to validate the src attribute of an iframe, it could load a malicious resource.
💡 Used to sandbox blocked elements or render alternative content without affecting the main page flow.
The extension connects to many external servers for libraries and updates. This is normal but means your browser traffic passes through these domains.
Technical: Domains: richaudience.com, prod.rwdint.com, storage.googleapis.com, etc. Risk vector: Supply chain attacks or data leakage if these third parties log requests. Encryption status: Mixed (likely HTTPS for Google, unknown for others).
💡 Fetching React, Lodash, and other UI libraries to build the extension's interface.
Rewarded Interest A Bette appears to be a legitimate privacy tool with a clear purpose: blocking trackers and improving browsing flow. However, its high-risk profile stems from the combination of <all_urls> access and webRequest interception, which grants it significant power over your browsing session. Users should trust this extension only if they are comfortable with the inherent risks of broad permissions and ensure it is kept up to date to mitigate potential vulnerabilities in its code.
