Rinaudo Capital

Rinaudo Capital

ID: opnjljhcacpimaeohbbibagnicceeikb

Supported Languages

🇺🇸English

Extension Info & Metadata

Status
Active
Version
1.0.26
Size
0.07 MB
Rating
5.0/5
Reviews
11
Users
275
Type
Extension
Updated
Jul 1, 2026
Category
Productivity Communication
Price
Free
Featured
No
Visibility
Listed
Mature
No
By Google
No
Trusted
No

Publisher Contextual Analysis

Author
SolutionsView Profile
MX records exist
Yes
Domain exists
Yes
Is disposable
No
Is role-based
No
Mailbox exists
Yes
Total Extensions
2
Active
2
Obsolete
0
Listed
2
Unlisted
0
Total Users
285
Screenshot 1

Earn tickets for liking, commenting on, and watching Mizkif's posts and videos, and get pinged when he goes live or posts.

Item
Type
Severity
Description
identity
Permission
High
This permission accesses Chrome identity service and user information. Rated High because it can obtain OAuth tokens, access connected accounts, and impersonate the user in authenticated service.
Contextual Risk Factors
Risk Factor
High
The following context increases the overall risk: • 19% increase: Access to sensitive domains increases potential impact
storage
Permission
Medium
This permission allows storing data locally in the browser. Rated Medium because it can persist sensitive user data, track user activities over time, and potentially store malicious payloads.
https://rinaudoglobal.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://s2.jsolutions.dev/*
Host
Medium
Host permission — access limited to this URL pattern.
https://kick.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://www.youtube.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://www.tiktok.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://www.instagram.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://x.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://twitter.com/*
Host
Medium
Host permission — access limited to this URL pattern.
Access to Sensitive Domains
Risk Factor
Medium
This extension requests access to sensitive domains: https://www.instagram.com/*, https://twitter.com/*
alarms
Permission
Low
This permission schedules periodic tasks. Rated Low because it can only trigger events at specified times without access to sensitive data.
notifications
Permission
Low
This permission displays system notifications. Rated Low because it can only show user-visible notifications without accessing system data.

The bundled manifest declares seven host_permissions and content scripts for five social platforms, but the live CWS listing shows only three host_permissions (kick.com, rinaudoglobal.com, youtube.com) and no mention of TikTok, Instagram, X/Twitter, or s2.jsolutions.dev. Users reviewing permissions at install time saw a materially different — and significantly narrower — set than what the extension actually uses. Whether this reflects a delayed CWS update or a deliberate omission, the discrepancy means consent to the broader permission set was not clearly obtained.

manifest.json (Line 9)
"host_permissions": ["https://rinaudoglobal.com/*", "https://s2.jsolutions.dev/*", "https://kick.com/*",    "https://www.youtube.com/*", "https://www.tiktok.com/*", "https://www.instagram.com/*", "https://x.com/*",    "https://twitter.com/*"],  "content_scripts": [    { "matches": ["https://kick.com/mizkif*"], "js": [...] },    { "matches": ["https://www.youtube.com/*"], "js": [...] },    { "matches": ["https://www.tiktok.com/*"], "js": [...] },    { "matches": ["https://www.instagram.com/*"], "js": [...] },    { "matches": ["https://x.com/*", "https://twitter.com/*"], "js": [...] }  ]

The extension builds a persistent device fingerprint from GPU vendor/renderer (WebGL UNMASKED_RENDERER), canvas pixel hash, user-agent, CPU cores, device memory, language, and timezone — then transmits it on every authenticated request to s2.jsolutions.dev as the X-RGC-Fingerprint header. The code comments confirm this survives reinstalls to track the same physical machine across profiles. The CWS data-collection disclosure is 'none', so this collection of stable device characteristics is not disclosed to users, even though the destination is the publisher's own backend used for anti-fraud review of the rewards system.

background.js (Line 112)
// Fuzzy machine fingerprint: a stable hash of GPU / canvas / UA / cores / timezone.// Unlike the device token it survives a reinstall or fresh profile on the SAME machine.let _fp = null;async function getFingerprint() {  if (_fp != null) return _fp;  const {    rgcFp  } = await chrome.storage.local.get('rgcFp');  if (rgcFp) {    _fp = rgcFp;    return _fp;  }  const parts = [];  try {    parts.push(navigator.userAgent || '');  } catch {}  try {    parts.push((navigator.languages || [navigator.language]).join(','));  } catch {}  try {    parts.push(String(navigator.hardwareConcurrency || ''), String(navigator.deviceMemory || ''));  } catch {}  try {    parts.push(Intl.DateTimeFormat().resolvedOptions().timeZone || '');  } catch {}  try {    const gl = new OffscreenCanvas(1, 1).getContext('webgl');    if (gl) {      const dbg = gl.getExtension('WEBGL_debug_renderer_info');      if (dbg) parts.push(gl.getParameter(dbg.UNMASKED_VENDOR_WEBGL) || '', gl.getParameter(dbg.UNMASKED_RENDERER_WEBGL) || '');      parts.push(gl.getParameter(gl.VERSION) || '');    }  } catch {}  try {    const cv = new OffscreenCanvas(200, 50),      ctx = cv.getContext('2d');    ctx.textBaseline = 'top';    ctx.font = '14px Arial';    ctx.fillStyle = '#069';    ctx.fillText('rgc fpâš¡', 2, 2);    ctx.fillStyle = 'rgba(102,200,0,.7)';    ctx.fillText('rgc fpâš¡', 4, 6);    const buf = await (await cv.convertToBlob()).arrayBuffer();    const h = new Uint8Array(await crypto.subtle.digest('SHA-256', buf));    parts.push([...h.slice(0, 8)].map((b) => b.toString(16).padStart(2, '0')).join(''));  } catch {}  // ... hashed and stored as rgcFp, then sent as X-RGC-Fingerprint on every s2 request}

By severity

Critical0
High1
Medium1
Low0

Versions scanned

Showing 1 of 8 scanned versions with more than one unique finding. Counts are unique findings that include each version.

Extension VersionCode Review Findings
1.0.262

Files with findings

2 distinct paths — top paths by unique finding count:

  • background.js1
  • manifest.json1
S.No.
Category
Severity
File
Summary
Found in Version
1Other
high
manifest.json (line 9)The bundled manifest declares seven host_permissions and content scripts for five social platforms, but the live CWS listing shows only three host_permissions (kick.com, rinaudoglobal.com, youtube.com) and no mention …
2Tracking
medium
background.js (line 112)The extension builds a persistent device fingerprint from GPU vendor/renderer (WebGL UNMASKED_RENDERER), canvas pixel hash, user-agent, CPU cores, device memory, language, and timezone — then transmits it on every aut…
URLs
0
IPv4
0
IPv6
0

URLs

View the external URLs this extension communicates with to understand its network activity and data interactions.

Gain full insight into all external connections.

Upgrade for full visibility.

No URLs found

Gain full insight into all external connections.

Upgrade for full visibility.

No IP addresses found
Showing 1 to 8 of 10 rows
Rows per page:

Code Diff

Compare extension code between any two versions.

0 changed files (scanned top 25 shared text files)

No comparable text files found between these versions.

Browse and explore files within this extension package

Gain full insight into all external connections.

Upgrade for full visibility.