Arwan Web Extension

The bundled manifest declares manifest_version 3 and host_permissions scoped to `*.arwan.app`, but the live CWS published manifest summary shows manifest_version 2 with permissions scoped to `*.arwan.biz` — a different TLD. This discrepancy means the extension that users installed may behave differently from what the store listing describes, and the domain shift from `.biz` to `.app` is unacknowledged in the listing. A permissions or domain mismatch between the published and bundled manifest is itself a high-severity finding under the review criteria.

{  "manifest_version": 3,  ...  "host_permissions": [    "*://*.arwan.app/",    "*://*.arwan.app/*"  ]}

The content script accepts `window.postMessage` commands solely by checking `event.data.source == 'page'` with no `event.origin` validation. Any JavaScript executing in the arwan.app page context — including third-party scripts loaded by that page — can send `START SESSION`, `START ENROLLMENT SESSION`, or `FINALIZE` messages that drive native messaging to the fingerprint hardware and relay biometric payloads to the server. If arwan.app is ever compromised or serves malicious ads/scripts, an attacker could silently trigger biometric data collection on behalf of arbitrary user IDs.

window.addEventListener("message", (event) => {  if (event.data.source != "page") {    return  }  switch (event.data.type) {    case "START SESSION":    case "START ENROLLMENT SESSION":    case "TRIAL MATCH":    case "FINALIZE":      changeStatusText("Connecting to 1Rotary Servers")      background.postMessage(event.data)      break;    case "END SESSION":      background.postMessage({        type: "END SESSION"      })      break;    case "FORCE END SESSION":      background.postMessage({        type: "FORCE END SESSION"      })      break;  }})