ajyey / masked-email-manager Goto Github PK

I just found the extension and I tried it. But I got immediately suspicious about it, as I do for any software that can access some of my data. I am not implying the extension is malicious or insecure. It is probably secure and respects privacy. But It is hard to audit and the Chrome Extension permissions are not very clear to me. Even after a lot of effort and about an hour trying to understand it.

The source code seems very well organized and very good quality software. So let me explain my thoughts about privacy and security. I don't want to be rude or anything, and I do appreciate the great effort you had to provide this free of charge and all in the open. So I am sending this feedback in the hopes that you find it interesting and to have a conversation about it if you so want to. I don't expect you to change the extension in any way based on this feedback.

Here is what I expected to be able to audit:

• That the extension connects exclusively to fastmail.com and nothing else
• That the extension cannot be updated in the background to connect to somewhere else than fastmail.com
• The extension is not suspiciously collecting any information besides what is essential to use (like the API token and cached info from the fastmail.com masked email API)

Why I could not be sure of the above:

• When installing the extension it does not ask for a list of sites to access. Of course it should access all tabs, but It does not tell me upfront of what requests it is allowed to do in the background
• When I look at the extension source code (not on GitHub, the one actually installed on ~/Library/Application Support/..../[extension_folder]), it is all minified and in one line, instead of the source files
• Even if I prettify the javascript inside the extension, since you use typescript, it has a lot of wrappers and it is hard to read
• I went ahead and installed the extension anyway. When I add an API token and test it, it is able to show my emails, but no permission dialog popped up, so since it accessed fastmail.com and never asked for anything, I assume the extension could be updated and make requests to any domain anywhere, which means my data could be extracted and sent somewhere
• I am using Brave, but I assume neither Brave nor Chrome has a list of requests the extension did (like the network panel on dev tools) and I also tried to inspect the extension with dev tools and it does not show in the extension debugger (uBlock origin does, but I assume this extension does not run a background page, so it won't show there).

I don't know of extensions enough to understand how I could use this extension and be sure my security and privacy is respected. I use other extensions when they are provided by the vendor (in this case, if it was an official Fastmail extension). I though about installing it from the GitHub source but it is a lot of trouble to build it from scratch. Even if I do, I would need to go through the whole source code before building it. If I download as zip, then the code is all compacted (of course, same as downloaded from the extension store). If I had a 1-to-1 javascript built file maybe I would be able to inspect it.

I also tried to read the extension source code on GitHub. After 20 or 30 minutes I can't find a single line that shows me how the requests are made. Then I found a lot of browser.sync but this also requires me to understand what the extension pollyfill does, and found out there are a lot of external dependencies I need to inspect to be sure are not compromised as well. I went to the npm dependency page and the Fastmail masked email package it is also provided by you, but then it is another place to audit, and I need to be sure the package on npm is not compromised by third party and is the exact output of your github code.

So I concluded this is a very interesting project, one that I want to use. But Until I have time to go through all the extension and build it myself using local copies of all of you dependencies, I don't want to keep it installed. So I am considering building a simple version from scratch for my own use, with zero dependencies and pure javascript. It might be easier than learning all of your stack. The only library I know is React. So I'll probably not bother learning vite, learning tailwind, and readying all of the code. I now realize why other extensions are often just one large javascript file instead of breaking down in modules like you did. Your code looks great, and I am pretty sure you are very productive with it, as you use a stack you are familiar with. But maybe it is too much for privacy concerning people, the ones that took the time to setup fastmail and masked email feature.

Finally, I just want to remind you that I am sending this feedback in good faith and I am open to conversation, as I find this privacy and security topic very interesting to chat about. And although I am not yet a user of the extension I want you to know I appreciate a lot your effort and contribution of making it open source. Thank you.

🚨 The automated release from the main branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the main branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

---

The item cannot be updated now because it is in pending review, ready to publish, or deleted status.

Unfortunately this error doesn't have any additional information. Feel free to kindly ask the author of the semantic-release-chrome plugin to add more helpful information.

---

Good luck with your project ✨

Your semantic-release bot 📦🚀

Describe the bug
I set up the plugin as described, created the token with account access for masked emails and added token to plugin.
Plugin accepted token but displays no masked emails. I have dozens on my account.
I have logged out and re-entered the token to the same result.

Running Edge browser (up to date) Version 114.0.1823.67 (Official build) (64-bit) on Windows 11.
Potential plugin conflicts: Privacy Badger and uBlock Origin

Screenshots

If applicable, add screenshots to help explain your problem.

🚨 The automated release from the develop branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the develop branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

---

Environment variable not found: GOOGLE_CLIENT_ID. Check the README.md for config info.

Unfortunately this error doesn't have any additional information. Feel free to kindly ask the author of the semantic-release-chrome plugin to add more helpful information.

---

Environment variable not found: GOOGLE_CLIENT_SECRET. Check the README.md for config info.

Unfortunately this error doesn't have any additional information. Feel free to kindly ask the author of the semantic-release-chrome plugin to add more helpful information.

---

Environment variable not found: GOOGLE_REFRESH_TOKEN. Check the README.md for config info.

Unfortunately this error doesn't have any additional information. Feel free to kindly ask the author of the semantic-release-chrome plugin to add more helpful information.

---

Good luck with your project ✨

Your semantic-release bot 📦🚀