When assessing software granted access to the core of your digital workflow—your web browser—the only objective source of truth is not marketing copy, but the manifest.json file. This file serves as the extension's blueprint, where the developer is legally and technically required to explicitly declare to Google Chrome which system functions and user data it intends to access.
We downloaded the official CRX package of the popular "accelerator" uBoost (version 8.11.9), unpacked it, and performed a line-by-line architecture audit. The findings present significant security concerns for hundreds of thousands of users.
---Comparative Analysis: Shustree Requests vs. uBoost Hidden Capabilities
Below is a technical comparison mapping the verified system requirements of a standard traffic routing tool (Shustree) against the excessive permissions requested by uBoost for an identical core tunneling capability:
| Parameter / Permission | Shustree (v1.7.3) | uBoost (v8.11.9) | Actual Technical Implication |
|---|---|---|---|
management |
Absent | Present | Provides control over third-party extensions, allowing the software to monitor, disable, or disrupt competing applications (such as Shustree). |
cookies |
Absent | Present | Grants unrestricted access to session states, authorization tokens, and personal user accounts across all domains. |
content_scripts |
Not utilized | 6 cascading rules of unmonitored JS injections | Forces JS execution into the DOM environment prior to page rendering (document_start mode). Intercepts interface control on Google and YouTube domains. |
[View] Complete manifest.json of the uBoost Extension (v8.11.9)
{
"update_url": "https://clients2.google.com/service/update2/crx",
"manifest_version": 3,
"name": "__MSG_extName__",
"version": "8.11.9",
"description": "__MSG_extDescription__",
"permissions": [
"proxy",
"storage",
"webRequest",
"webRequestAuthProvider",
"activeTab",
"tabs",
"alarms",
"management",
"cookies",
"unlimitedStorage"
],
"host_permissions": [
"https://*.youtube.com/*",
"https://*.youtu.be/*",
"https://*.googlevideo.com/*",
"https://*.play.google.com/*",
"https://*.ytimg.com/*",
"https://*.witch.tv/*",
"https://staticfiles.cukubst.top/*",
"https://uboost.space/*",
"https://ubst.space/*",
"*://*.vpnn.loan/*",
"*://*.yandexcloud.net/*",
""
],
"action": {
"default_popup": "action/default_popup.html",
"default_icon": {
"16": "icons/icon16.png",
"48": "icons/icon48.png",
"128": "icons/icon128.png"
}
},
"content_scripts": [
{
"matches": [
"*://*.ubstv.click/*",
"*://*.naruzhu.work/*",
"*://*.naruzhu.am/*",
"*://*.uboost.am/*"
],
"js": [
"content_scripts/content-0.js"
],
"run_at": "document_start",
"css": [
"content_scripts/content-0.css",
"content_scripts/content-1.css"
]
},
{
"matches": [
"*://*.youtube.com/*",
"*://*.youtu.be/*"
],
"js": [
"content_scripts/content-1.js"
],
"run_at": "document_idle",
"css": [
"content_scripts/content-0.css",
"content_scripts/content-1.css"
]
},
{
"matches": [
"*://*.youtube.com/*",
"*://*.google.com/*",
"*://*.youtu.be/*"
],
"js": [
"content_scripts/content-2.js"
],
"css": [
"content_scripts/content-0.css",
"content_scripts/content-1.css"
],
"run_at": "document_start"
},
{
"matches": [
"*://*.youtube.com/*",
"*://*.youtu.be/*",
"*://*.googlevideo.com/*",
"*://*.play.google.com/*",
"*://*.ytimg.com/*",
"*://*.witch.tv/*"
],
"js": [
"content_scripts/content-3.js"
],
"run_at": "document_start",
"css": [
"content_scripts/content-0.css",
"content_scripts/content-1.css"
]
},
{
"matches": [
"https://storage.googleapis.com/uboost/welcome/*",
"https://storage.yandexcloud.net/vpnn-web-configs/uboost/welcome/*",
"https://storage.googleapis.com/uboost/welcome-new/*",
"https://storage.yandexcloud.net/vpnn-web-configs/uboost/welcome-new/*",
"https://storage.googleapis.com/uboost/welcome-back/*",
"https://storage.yandexcloud.net/vpnn-web-configs/uboost/welcome-back/*"
],
"js": [
"content_scripts/content-4.js"
],
"run_at": "document_start",
"css": [
"content_scripts/content-0.css",
"content_scripts/content-1.css"
]
},
{
"matches": [
"*://*.storage.googleapis.com/*",
"*://*.storage.yandexcloud.net/*"
],
"js": [
"content_scripts/content-5.js"
],
"css": [
"content_scripts/content-0.css",
"content_scripts/content-1.css"
],
"run_at": "document_idle"
}
],
"web_accessible_resources": [
{
"resources": [
"fonts/Press_Start_2P/*.ttf"
],
"matches": [
""
]
},
{
"resources": [
"fonts/CyGrotesk/*.otf"
],
"matches": [
""
]
},
{
"resources": [
"assets/icon128.png",
"assets/cross.svg",
"assets/logo-peremen.png"
],
"matches": [
"*://*.ubstv.click/*",
"*://*.naruzhu.work/*",
"*://*.naruzhu.am/*",
"*://*.uboost.am/*"
]
},
{
"resources": [
"assets/icon128.png",
"assets/cross.svg",
"assets/logo-peremen.png",
"assets/icon.png"
],
"matches": [
"*://*.youtube.com/*",
"*://*.youtu.be/*"
]
},
{
"resources": [
"assets/icon128.png",
"assets/cross.svg",
"assets/logo-peremen.png"
],
"matches": [
"https://storage.googleapis.com/*",
"https://storage.yandexcloud.net/*",
"https://storage.googleapis.com/*",
"https://storage.yandexcloud.net/*",
"https://storage.googleapis.com/*",
"https://storage.yandexcloud.net/*"
]
},
{
"resources": [
"assets/icon128.png",
"assets/cross.svg",
"assets/logo-peremen.png",
"assets/icon.png"
],
"matches": [
"*://*.storage.googleapis.com/*",
"*://*.storage.yandexcloud.net/*"
]
}
],
"icons": {
"16": "icons/icon16.png",
"48": "icons/icon48.png",
"128": "icons/icon128.png"
},
"default_locale": "ru",
"background": {
"service_worker": "background/service_worker.js"
}
} [View] Transparent and Minimalist manifest.json of the Shustree Extension
{
"manifest_version": 3,
"name": "__MSG_appName__",
"version": "1.7.4",
"default_locale": "en",
"permissions": [
"proxy",
"tabs",
"alarms",
"storage",
"webRequest",
"webRequestAuthProvider"
],
"host_permissions": [
"*://shustree.ru/*",
""
],
"description": "__MSG_appDesc__",
"icons": {
"16": "img/shustree16.png",
"32": "img/shustree32.png",
"48": "img/shustree48.png",
"128": "img/shustree128.png"
},
"background": {
"service_worker": "shustreeBackground.js"
},
"action":{
"default_popup": "shustree.html",
"default_title": "__MSG_defaultTitle__"
},
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self';"
}
} The Black Box Risk: Hidden Content Scripts and Remote Code
The "content_scripts" block in the uBoost manifest indicates 6 cascading code injections configured to execute at "document_start". This technical configuration forces an obfuscated script into the page environment before the browser processes or renders the legitimate host website interface.
Operational Impact: Users observe that during the initial seconds of YouTube video buffering, the native Google player is temporarily superseded by a custom interface displaying the uBoost logo. Programmatically, this represents a classic instance of Browser Hijacking—the systematic preemption of page interface control by an isolated script package.
The Chromium runtime environment cannot validate execution payloads nested within these obfuscated code strings. Furthermore, the declaration of external endpoints (e.g., yandexcloud.net, googleapis.com, cukubst.top) confirms the integration of Remote Code Execution (RCE) pathways. The extension fetches runtime configurations and active JS binaries from third-party cloud assets dynamically. While the current execution scope displays a UI overlay, a remote server command can modify these scripts to act as credential harvesters or session-hijacking tools targeting financial or authentication data.
Mechanics of Unfair Competition: The Management API Dependency
A dedicated traffic-routing mechanism requires no technical dependencies on the "management" API. The inclusion of this permission by uBoost indicates a deliberate strategy to enforce network-stack exclusivity.
By leveraging this permission, the uBoost background Service Worker can programmatically detect when a user enables Shustree and forcefully reset the chrome.proxy state. This aggressive override loop systematically disrupts the operation of secure, non-interfering extensions.
Core Design Distinction: While uBoost is architected to isolate and capitalize on YouTube traffic within a closed, obfuscated system, Shustree functions as a transparent, general-purpose routing utility. The Shustree infrastructure natively supports high-throughput routing to advanced AI environments—including Gemini, ChatGPT, and Claude—which strictly demand unaltered network paths, zero JS injection overhead, and total session token integrity.---
Code Obfuscation at Scale
Static analysis of the uBoost core application reveals an extensive JavaScript codebase heavily modified by aggressive obfuscation tools. Variable names are systematically randomized into unreadable character arrays, and the logical control structures are deliberately complicated.
A legitimate routing service operating on verifiable, transparent whitelist parameters requires no structural concealment. Shustree retains an open, auditable architecture backed by a minimal manifest signature that eliminates hidden entry vectors.
---Conclusion: Performance vs. Security Trade-offs
Deploying software assets that require comprehensive management, cookies access, and unmonitored runtime DOM manipulation via content_scripts introduces severe data liability. When evaluating network utilities, users must verify why a localized proxy mechanism demands the capacity to read session tokens and manipulate concurrent software states.
To establish verified control over your local browser runtime, mitigate unauthorized session tracking, and secure uncompromised data throughput to both media platforms and global AI infrastructures, we recommend removing obfuscated extensions in favor of the transparent, engineered design of Shustree.