Security Warning: High Security Risk
Rinaudo Capital
ID: opnjljhcacpimaeohbbibagnicceeikb
Supported Languages
Extension Info & Metadata
Publisher Contextual Analysis
- Author
- SolutionsView Profile
- Privacy
- Privacy Policy
- MX records exist
- Yes
- Domain exists
- Yes
- Is disposable
- No
- Is role-based
- No
- Mailbox exists
- Yes
Earn tickets for liking, commenting on, and watching Mizkif's posts and videos, and get pinged when he goes live or posts.
Sensitive Domain Access
This extension has access to the following sensitive domains:
- https://www.instagram.com/*
- https://twitter.com/*
The bundled manifest declares seven host_permissions and content scripts for five social platforms, but the live CWS listing shows only three host_permissions (kick.com, rinaudoglobal.com, youtube.com) and no mention of TikTok, Instagram, X/Twitter, or s2.jsolutions.dev. Users reviewing permissions at install time saw a materially different — and significantly narrower — set than what the extension actually uses. Whether this reflects a delayed CWS update or a deliberate omission, the discrepancy means consent to the broader permission set was not clearly obtained.
"host_permissions": ["https://rinaudoglobal.com/*", "https://s2.jsolutions.dev/*", "https://kick.com/*", "https://www.youtube.com/*", "https://www.tiktok.com/*", "https://www.instagram.com/*", "https://x.com/*", "https://twitter.com/*"], "content_scripts": [ { "matches": ["https://kick.com/mizkif*"], "js": [...] }, { "matches": ["https://www.youtube.com/*"], "js": [...] }, { "matches": ["https://www.tiktok.com/*"], "js": [...] }, { "matches": ["https://www.instagram.com/*"], "js": [...] }, { "matches": ["https://x.com/*", "https://twitter.com/*"], "js": [...] } ]The extension builds a persistent device fingerprint from GPU vendor/renderer (WebGL UNMASKED_RENDERER), canvas pixel hash, user-agent, CPU cores, device memory, language, and timezone — then transmits it on every authenticated request to s2.jsolutions.dev as the X-RGC-Fingerprint header. The code comments confirm this survives reinstalls to track the same physical machine across profiles. The CWS data-collection disclosure is 'none', so this collection of stable device characteristics is not disclosed to users, even though the destination is the publisher's own backend used for anti-fraud review of the rewards system.
// Fuzzy machine fingerprint: a stable hash of GPU / canvas / UA / cores / timezone.// Unlike the device token it survives a reinstall or fresh profile on the SAME machine.let _fp = null;async function getFingerprint() { if (_fp != null) return _fp; const { rgcFp } = await chrome.storage.local.get('rgcFp'); if (rgcFp) { _fp = rgcFp; return _fp; } const parts = []; try { parts.push(navigator.userAgent || ''); } catch {} try { parts.push((navigator.languages || [navigator.language]).join(',')); } catch {} try { parts.push(String(navigator.hardwareConcurrency || ''), String(navigator.deviceMemory || '')); } catch {} try { parts.push(Intl.DateTimeFormat().resolvedOptions().timeZone || ''); } catch {} try { const gl = new OffscreenCanvas(1, 1).getContext('webgl'); if (gl) { const dbg = gl.getExtension('WEBGL_debug_renderer_info'); if (dbg) parts.push(gl.getParameter(dbg.UNMASKED_VENDOR_WEBGL) || '', gl.getParameter(dbg.UNMASKED_RENDERER_WEBGL) || ''); parts.push(gl.getParameter(gl.VERSION) || ''); } } catch {} try { const cv = new OffscreenCanvas(200, 50), ctx = cv.getContext('2d'); ctx.textBaseline = 'top'; ctx.font = '14px Arial'; ctx.fillStyle = '#069'; ctx.fillText('rgc fpâš¡', 2, 2); ctx.fillStyle = 'rgba(102,200,0,.7)'; ctx.fillText('rgc fpâš¡', 4, 6); const buf = await (await cv.convertToBlob()).arrayBuffer(); const h = new Uint8Array(await crypto.subtle.digest('SHA-256', buf)); parts.push([...h.slice(0, 8)].map((b) => b.toString(16).padStart(2, '0')).join('')); } catch {} // ... hashed and stored as rgcFp, then sent as X-RGC-Fingerprint on every s2 request}By severity
Versions scanned
Showing 1 of 8 scanned versions with more than one unique finding. Counts are unique findings that include each version.
| Extension Version | Code Review Findings |
|---|---|
| 1.0.26 | 2 |
Files with findings
2 distinct paths — top paths by unique finding count:
- background.js1
- manifest.json1
URLs
View the external URLs this extension communicates with to understand its network activity and data interactions.
Gain full insight into all external connections.
Upgrade for full visibility.
Gain full insight into all external connections.
Upgrade for full visibility.
Code Diff
Compare extension code between any two versions.
No comparable text files found between these versions.
Browse and explore files within this extension package
Gain full insight into all external connections.
Upgrade for full visibility.
