Security Warning: High Security Risk
Tableau Bridge Config Helper
ID: pnghcjanlljbmedmaiapiipbmagpmlam
Extension Info & Metadata
Publisher Contextual Analysis
- Author
- FortunaSwap TeamView Profile
- Privacy
- Privacy Policy
- MX records exist
- Yes
- Domain exists
- Yes
- Is disposable
- No
- Is role-based
- Yes
- Mailbox exists
- Yes
- Website
- Visit
Collect information needed to configure Tableau Bridge Linux agents and download as a yaml file.
The extension is to generate secret keys for tableau users.
The background service worker silently intercepts and persists the x-xsrf-token CSRF credential from every Tableau Cloud request to chrome.storage.local. While this token is later used to call the Tableau PAT API, the act of capturing and storing session-level security tokens in extension storage is itself a credential interception risk — particularly for an extension whose publisher (FortunaSwap Team, a DeFi platform) has a 100% malware rate across its other published extensions. Any future update could exfiltrate this stored token without the user's knowledge.
let a = "";chrome.webRequest.onBeforeSendHeaders.addListener(r => { var t, s; const e = (s = (t = r.requestHeaders) == null ? void 0 : t.find(o => o.name === "x-xsrf-token")) == null ? void 0 : s.value; return e && e !== a && (a = e, console.log("New CSRF Token: ", e), u.setItem(c.CSRF_TOKEN, e)), { requestHeaders: r.requestHeaders }}, { urls: ["https://*.online.tableau.com/*"]}, ["requestHeaders"]);The content script uses the captured CSRF token to programmatically create Tableau Personal Access Tokens (PATs), collecting the resulting refreshToken values — long-lived credentials that authenticate API access to the Tableau Cloud site. In the current version these tokens are only downloaded locally as a YAML file, but the infrastructure to harvest an arbitrary number of Tableau auth credentials on behalf of any user navigating to online.tableau.com is fully in place. Combined with a publisher whose sole other extension is flagged malicious and who impersonates Tableau's own privacy policy, this credential creation pipeline represents a high-severity risk of future exfiltration.
const T = async e => { const s = await l.getItem(i.CSRF_TOKEN); if (!s) { console.log("CSRF token not found"); return } const o = []; for (let t = 0; t < e.numberOfTokens; t++) { const r = `${e.tokenPrefix}-${t+1}`; try { const c = await (await fetch(`https://${p}/vizportal/api/web/v1/createPersonalAccessToken`, { method: "POST", headers: { Accept: "application/json, text/plain, */*", "x-xsrf-token": s }, body: JSON.stringify({ method: "createPersonalAccessToken", params: { clientId: r } }) })).json(); o.push({ name: r, secret: c.result.refreshToken }) } catch (n) { console.error("Get PAT Tableau error"), console.error(n); o.push({ name: r, secret: "" }) } } chrome.runtime.sendMessage({ type: a.RESPONSE_GET_PAT_TABLEAU, data: o })};By severity
Versions scanned
Showing 1 of 1 scanned version with more than one unique finding. Counts are unique findings that include each version.
| Extension Version | Code Review Findings |
|---|---|
| 1.2 | 2 |
Files with findings
2 distinct paths — top paths by unique finding count:
- assets/chunk-17801cfe.js1
- assets/chunk-453372f6.js1
URLs
View the external URLs this extension communicates with to understand its network activity and data interactions.
Gain full insight into all external connections.
Upgrade for full visibility.
Gain full insight into all external connections.
Upgrade for full visibility.
Browse and explore files within this extension package
Gain full insight into all external connections.
Upgrade for full visibility.