Is 秀米插件 safe?
This security report analyses whether 秀米插件 is safe to install on your browser. We check 秀米插件 for malicious behaviour, data exfiltration, suspicious permissions, and known vulnerabilities so you can decide if 秀米插件 is safe for your personal or enterprise fleet.
Legitimate content transfer extension for Xiumi.us editor with postMessage handler lacking origin validation, allowing any webpage to trigger message relay functionality.
AI-generated. Findings may contain errors. Those marked Verified have been manually reviewed.
Publishers can request a review.
Findings
postMessage handler on xiumi.us executes cross-origin messages without origin validation
scripts/crossoverSource.js lines 73-80 listen for window messages with __tn_callee__='tn.xover.trigger' and execute the corresponding method. While source===window is checked (line 53), the origin field is extracted (line 86) but never validated. Any page in the same window context can trigger content transfer operations to WeChat MP (mp.weixin.qq.com).