How secure or vulnerable is the Chrome Extension?

The core team does not have a professional security researcher on it. That said we do follow Google's security guidelines.

We only request minimal permissions from the browser and user needed to perform the task. We use Google Analytics in the extension to get basic anonymized data about how the extension is being used. This is very similar to Google analytics for websites. The main difference is that it gives us less information as the analytics script cannot access as much info. We are transparent with our usage statistics regularly some of the information periodically for the betterment of the HubSpot Community.

We take user privacy very seriously, there is no functionality built in that would allow the extension to record browsing history, or even the sites you use different functions on.

That said, since the extension uses query parameters for many of it's functions the servers of the site you use them on can likely see those parameters being used. Seeing as it's probably always going to be HubSpot sites, that means HubSpot may be able to tell when the parameters are used, and since they have their normal analytics script installed theoretically HubSpot could tie that data to a contact record in HubSpot. Again though likely you'll only use the extension on your own HS sites and client sites so that shouldn't be a big deal.

If you know a thing or two about infosec, we would encourage you to look through our github and see if you can find any security holes. If you do please let us know and we will do our best to patch it quickly. We don't have money for a bounty program, the extension is free, so just know your efforts will help the HS developer community as a whole.

Security tests run against the chrome extension:

• Doliere Some Extension Analyzer - checks against Exposed/vulnerable APIs #191 - passed, nothing exploitable.
• CRXcavator report