Is Watch2Gether safe?
This security report analyses whether Watch2Gether is safe to install on your browser. We check Watch2Gether for malicious behaviour, data exfiltration, suspicious permissions, and known vulnerabilities so you can decide if Watch2Gether is safe for your personal or enterprise fleet.
Watch2Gether is a legitimate video synchronization extension with postMessage handlers that lack origin validation, presenting a moderate security concern.
AI-generated. Findings may contain errors. Those marked Verified have been manually reviewed.
Publishers can request a review.
Findings
controls.html postMessage handler accepts play/pause/seek commands from any origin without validation
controls.0a6d2659.js line 205 implements window.addEventListener('message') that processes play, pause, durationchange, timeupdate, videofound, and resync commands without checking event.origin. Handler responds to any origin and sends responses via window.top.postMessage(msg, '*'). controls.html is served as a web-accessible resource and embedded in pages as iframe, allowing any hosting page to send control commands.
Netflix adapter accepts w2g_seek commands from any page to control Netflix player via internal API
w2g_netflix_adapter.js line 161 implements window.addEventListener('message') that processes w2g_seek type messages without origin validation. _getPlayer() accesses window.netflix.appContext.state.playerApp.getAPI() to seek to specified position. Any page script (not just Netflix or w2g.tv) can send seek commands to control Netflix video playback position via internal Netflix API.