Z-API Conector

Z-API Conector

ID: iopmkohngoecmepoheapifkafbeomphn

Supported Languages

🇧🇷Brazilian Portuguese

Extension Info & Metadata

Status
Active
Version
3.0.0
Size
0.01 MB
Rating
5.0/5
Reviews
4
Users
1,000
Type
Extension
Updated
Jul 2, 2026
Category
Developer tools
Price
Free
Featured
No
Visibility
Listed
Mature
No
By Google
No
Trusted
No

Publisher Contextual Analysis

Author
Four Pixel ITView Profile
Country
BR
MX records exist
Yes
Domain exists
Yes
Is disposable
No
Is role-based
No
Mailbox exists
Yes
Address
Av. MARAJO 190 Cianorte, PR 87207-008 BR
Website
Visit
Total Extensions
3
Active
3
Obsolete
0
Listed
3
Unlisted
0
Total Users
1,000
Screenshot 1
Screenshot 2

Uma extensão que te ajuda a conectar de forma segura sua instância no Z-API.

Essa extensão tem o objetivo de facilitar clientes a conectar de forma segura sua conta a Ferramenta do Z-API.

Item
Type
Severity
Description
scripting
Permission
Critical
This permission allows injection and execution of JavaScript on any webpage. Rated Critical because it can modify page content, steal sensitive data, and inject malicious code into any site the extension has access to.
activeTab
Permission
Medium
This permission grants temporary access to the current tab. Rated Medium because it can access current page content when invoked, though limited to user-initiated actions.
tabs
Permission
Medium
This permission enables tab management and monitoring. Rated Medium because it can track open tabs, access tab metadata, and monitor user browsing patterns.
storage
Permission
Medium
This permission allows storing data locally in the browser. Rated Medium because it can persist sensitive user data, track user activities over time, and potentially store malicious payloads.

The function uses `chrome.scripting.executeScript` to inject scripts into WhatsApp Web that read Signal Protocol private keys (`signal_static_privkey`), Noise Protocol keypair (including private key), ADV signed identity, recovery token, and the user's phone number from IndexedDB and localStorage. These are then base64-encoded and POSTed to `https://api.z-api.io/instances/extension-connect`. While the destination (z-api.io) matches the publisher's stated domain and this is the extension's core purpose, the CWS data-collection disclosure is 'none declared' — the user is not informed that their WhatsApp private cryptographic keys and authentication identity are being collected and transmitted to a third-party server. Private keys sent to any remote server enable that server to impersonate the WhatsApp account indefinitely.

js/index.js (Line 257)
async function buildConnectionPayload(tab) {  const noise = await getNoise(tab);  const me = await getItemLocalStorage(tab, "last-wid-md");  const registrationId = await getItemIndexDb(    tab, "signal-storage", "signal-meta-store", "signal_reg_id",  );  const ADVSignedIdentity = await getItemIndexDb(    tab, "signal-storage", "signal-meta-store", "adv_signed_identity",  );  const SignalStaticPrivKey = await getItemIndexDb(    tab, "signal-storage", "signal-meta-store", "signal_static_privkey", true,  );  const SignalStaticPubKey = await getItemIndexDb(    tab, "signal-storage", "signal-meta-store", "signal_static_pubkey", true,  );  return {    noise: {      pubKey: btoa(String.fromCharCode.apply(null, new Uint8Array(noise.staticKeyPair.pubKey))),      privKey: btoa(String.fromCharCode.apply(null, new Uint8Array(noise.staticKeyPair.privKey))),    },    me: me.replace(/\"/g, ""),    registrationId,    identityKeyPair: {      privKey: btoa(String.fromCharCode.apply(null, new Uint8Array(SignalStaticPrivKey))),      pubKey: btoa(String.fromCharCode.apply(null, new Uint8Array(SignalStaticPubKey))),    },    account: {      details: btoa(...),      accountSignatureKey: btoa(...),      accountSignature: btoa(...),      deviceSignature: btoa(...)    },  };}

After the cryptographic credentials are successfully transmitted to api.z-api.io, the extension injects a script into WhatsApp Web that clears all localStorage and forces a page reload, destroying the user's local WhatsApp Web session. This occurs immediately after key transfer, leaving the user's browser without an active WhatsApp session while the credentials now reside on Z-API's servers. While arguably a consequence of session migration, this action is performed silently without explaining to the user that their local session will be terminated.

js/index.js (Line 565)
if (result.value || result.success) {  showStep("step-success");  chrome.scripting.executeScript({      target: {        tabId: currentTab.id      },      function: () => {        localStorage.clear();        location.reload();      },      args: [],    },    () => {},  );}

By severity

Critical0
High1
Medium1
Low0

Versions scanned

Showing 1 of 2 scanned versions with more than one unique finding. Counts are unique findings that include each version.

Extension VersionCode Review Findings
3.0.02

Files with findings

1 distinct path — top paths by unique finding count:

  • js/index.js2
S.No.
Category
Severity
File
Summary
Found in Version
1Unauthorized Data Collection
high
js/index.js (line 257)The function uses `chrome.scripting.executeScript` to inject scripts into WhatsApp Web that read Signal Protocol private keys (`signal_static_privkey`), Noise Protocol keypair (including private key), ADV signed ident…
2Other
medium
js/index.js (line 565)After the cryptographic credentials are successfully transmitted to api.z-api.io, the extension injects a script into WhatsApp Web that clears all localStorage and forces a page reload, destroying the user's local Wha…
URLs
5
IPv4
0
IPv6
0

URLs

View the external URLs this extension communicates with to understand its network activity and data interactions.

Gain full insight into all external connections.

Upgrade for full visibility.

fonts.googleapis.com-https://fonts.googleapis.com
fonts.gstatic.com-https://fonts.gstatic.com
fonts.googleapis.com/css2https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap
localhost/apihttp://localhost:8085/api
api.z-api.io-https://api.z-api.io

Gain full insight into all external connections.

Upgrade for full visibility.

No IP addresses found
Version
Size
Is Malicious
Findings
Permhash
3.0.0
Latest
0.01 MB
Malicious
2
1.0.0
0.01 MB
Malicious
Showing 1 to 2 of 10 rows
Rows per page:

Code Diff

Compare extension code between any two versions.

0 changed files (scanned top 25 shared text files)

No comparable text files found between these versions.

Browse and explore files within this extension package

Gain full insight into all external connections.

Upgrade for full visibility.