Zoom Chrome Extension
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Lets you schedule Zoom meetings directly from Google Calendar, streamlining your meeting planning and saving time for busy professionals and teams.
Overview
Schedule Zoom cloud meetings directly from Google Calendar
Zoom, the cloud meeting company, unifies mobile collaboration, cloud video conferencing and simple online meetings into one easy-to-use platform. Our solution offers the best video, audio and screen-sharing experience across Windows PC, Mac, iOS, Android and H.323/SIP room systems
The Zoom Chrome Extension allows participants to schedule Zoom cloud meetings directly from Google Calendar. With the click of a button, you can start an instant meeting or schedule a future meeting. The meeting URL and information is sent via a Google Calendar invitation so the attendee can join with a single-click.
Zoom Chrome Extension allows you to:
• Start an instant meeting
• Schedule a meeting
• Schedule a meeting for other
Do we do more?
Zoom offers the following:
• Unparalleled video, voice and screen sharing quality
• Free unlimited minutes for 1-to-1 meetings and 40 minutes for group meetings
• Paid service is only $14.99/month with unlimited minutes and meetings
• Video gallery view to see all 25 video streams at once
• Full online meeting functionality, including desktop and mobile screen sharing
• Annotations and share audio, mouse and keyboard controls
• Free global teleconferencing
• Interoperability between H.323/SIP room systems, desktop, tablet and mobile devices
To learn more about Zoom, please visit <a href="https://zoom.us">https://zoom.us</a>
Tags
Privacy Practices
Security Analysis — Zoom Chrome Extension
Permissions
Code Patterns Detected
External Connections
Package Contents 43 files · 931KB
What This Extension Does
The Zoom Chrome Extension allows users to schedule Zoom meetings directly from Google Calendar, providing a convenient workflow integration. It solves the problem of easily accessing Zoom's video conferencing features from within Google Calendar. This extension is suitable for individuals and teams who use both Google Calendar and Zoom for their productivity needs.
Permissions Explained
- storageexpected: This permission allows the extension to store data locally on your device, such as meeting schedules or login credentials.
Technical: The extension has access to Chrome's storage API, which enables it to save and retrieve data from local storage. This could potentially allow unauthorized access to sensitive information if compromised. - unlimitedStorageexpected: This permission allows the extension to store an unlimited amount of data locally on your device, which may be necessary for storing large meeting schedules or other data.
Technical: The extension has access to Chrome's unlimited storage API, which enables it to save and retrieve a virtually unlimited amount of data from local storage. This could potentially allow unauthorized access to sensitive information if compromised. - https://www.google.com/calendar/*expected: This permission allows the extension to interact with Google Calendar, enabling features like scheduling meetings and accessing calendar data.
Technical: The extension has access to Chrome's permissions API for Google Calendar, which enables it to read and write calendar data. This could potentially allow unauthorized access to sensitive information if compromised. - https://calendar.google.com/calendar/*expected: This permission allows the extension to interact with Google Calendar, enabling features like scheduling meetings and accessing calendar data.
Technical: The extension has access to Chrome's permissions API for Google Calendar, which enables it to read and write calendar data. This could potentially allow unauthorized access to sensitive information if compromised. - https://*.zoom.us/*expected: This permission allows the extension to interact with Zoom's services, enabling features like scheduling meetings and accessing meeting data.
Technical: The extension has access to Chrome's permissions API for Zoom, which enables it to read and write meeting data. This could potentially allow unauthorized access to sensitive information if compromised. - https://*.zoom.com/*expected: This permission allows the extension to interact with Zoom's services, enabling features like scheduling meetings and accessing meeting data.
Technical: The extension has access to Chrome's permissions API for Zoom, which enables it to read and write meeting data. This could potentially allow unauthorized access to sensitive information if compromised.
Your Data
The extension accesses user data from Google Calendar, including calendar events and login credentials. It also sends data to Zoom's servers for meeting scheduling and other features.
Technical Details
Code Findings
This finding indicates that the extension uses a function constructor to execute code dynamically, which can potentially lead to security vulnerabilities.
Technical: The extension uses the new Function() constructor to create and execute functions dynamically. This could allow an attacker to inject malicious code if they gain access to the extension's codebase.
💡 This pattern is commonly used in legitimate extensions for dynamic code execution, such as loading external scripts or handling user input.
This finding indicates that the extension loads external scripts in its service worker, which can potentially lead to security vulnerabilities.
Technical: The extension uses the fetch() API to load external scripts from Zoom's servers. This could allow an attacker to inject malicious code if they gain access to the extension's codebase.
💡 This pattern is commonly used in legitimate extensions for loading external resources, such as libraries or APIs.
This finding indicates that the extension uses innerHTML assignments, which can potentially lead to cross-site scripting (XSS) vulnerabilities.
Technical: The extension uses innerHTML assignments to update HTML content in its UI. This could allow an attacker to inject malicious code if they gain access to the extension's codebase and manipulate the innerHTML property.
💡 This pattern is commonly used in legitimate extensions for updating UI content, such as displaying user data or loading external resources.
This finding indicates that the extension uses String.fromCharCode() to obfuscate code, which can potentially make it harder for security researchers to analyze.
Technical: The extension uses String.fromCharCode() to encode strings in its codebase. This could make it harder for security researchers to understand the extension's behavior and identify potential vulnerabilities.
💡 This pattern is commonly used in legitimate extensions for encoding data, such as user input or API responses.
This finding indicates that the extension creates script elements dynamically, which can potentially lead to security vulnerabilities.
Technical: The extension uses document.createElement() to create script elements dynamically. This could allow an attacker to inject malicious code if they gain access to the extension's codebase and manipulate the script element's content.
💡 This pattern is commonly used in legitimate extensions for loading external scripts or handling user input.
This finding indicates that the extension monitors storage changes, which can potentially lead to security vulnerabilities if not properly implemented.
Technical: The extension uses chrome.storage.onChanged() to monitor storage changes. This could allow an attacker to inject malicious code if they gain access to the extension's codebase and manipulate the storage API.
💡 This pattern is commonly used in legitimate extensions for storing user data or loading external resources.
This finding indicates that the extension uses postMessage() to communicate with other origins, which can potentially lead to security vulnerabilities if not properly implemented.
Technical: The extension uses window.postMessage() to send messages to other origins. This could allow an attacker to inject malicious code if they gain access to the extension's codebase and manipulate the message content.
💡 This pattern is commonly used in legitimate extensions for communicating with external APIs or handling user input.
This finding indicates that the extension sets up event listeners, which can potentially be used to handle user interactions and update UI content.
Technical: The extension uses addEventListener() to set up event listeners for various events. This could allow an attacker to inject malicious code if they gain access to the extension's codebase and manipulate the event listener's behavior.
💡 This pattern is commonly used in legitimate extensions for handling user interactions and updating UI content.
The Zoom Chrome Extension has several security concerns, including dynamic code execution, external script loading, and potential XSS vulnerabilities. While these findings are concerning, they do not necessarily indicate malicious intent. Users should exercise caution when installing and using this extension, especially if they handle sensitive data or interact with other extensions that may have security vulnerabilities.
