Is USO Chrome Extension safe?
This security report analyses whether USO Chrome Extension is safe to install on your browser. We check USO Chrome Extension for malicious behaviour, data exfiltration, suspicious permissions, and known vulnerabilities so you can decide if USO Chrome Extension is safe for your personal or enterprise fleet.
Extension implements native messaging bridge with eval() code execution from untrusted sources and postMessage handlers without origin validation, creating significant security risks.
AI-generated. Findings may contain errors. Those marked Verified have been manually reviewed.
Publishers can request a review.
Findings
postMessage handler forwards messages to native app without origin validation
usoContent.js lines 87-95 registers window.addEventListener('message', OnMessagePage) on hytera.com, start.uso, webui, ucmanager, ucmweb domains. OnMessagePage (lines 48-66) checks event.source != window but NOT event.origin, so any script running in the same page context (third-party ad scripts, compromised CDNs) can send arbitrary messages that are forwarded verbatim to the native app via port.postMessage(event.data). The only structural check is presence of event.data.params.
Extension executes arbitrary JavaScript from native app via eval() and broadcasts it to all frames
usoContent.js lines 10-20: when a message arrives from the background with type==1 and command=='eval', the content script calls eval(msg.script) unconditionally, then calls window.postMessage(msg, '*') broadcasting the same eval payload to all frames. usoBackground.js lines 583-587 relays native messaging port messages with command=='eval' directly to all content scripts via SendMessageContent(msg). The native app (app.native.uso) is the source — no signature or integrity check on the script payload.
Dynamic JavaScript construction via string concatenation of native-app-supplied values injected into chrome.tabs.executeScript
usoBackground.js lines 245-314: functions usoFill() and usoMatchByIndex() build JavaScript code strings by concatenating msg.value, msg.tag, msg.index (received from native app) into code templates, then execute via chrome.tabs.executeScript({code: scr}). Basic escaping (replace \, ') is applied to msg.value in usoFill but msg.tag and msg.index are inserted raw. If the native app processes untrusted data (network, user files), injection into the code template is possible.