lemlist

lemlist

Work with lemlist from LinkedIn, Gmail, and CRM. Enroll, enrich, personalize, and call - all in one interface.No more switching tabs or juggling tools. The lemlist Chrome extension brings the power o...

Publisher

lemlist.com

Version

4.2.9

Rating

4.7

💬Reviews

84

📥Installs

60,000

Published

October 24, 2025

🌐 Website

lemlist.com

🏪 Store

Chrome Web Store

Permissions

Permissions

activeTabtabscookiesstorage

Host Permissions

*://*.linkedin.com/**://mail.google.com/**://localhost/**://*.lemlist.com/**://*.lempire.com/**://*.force.com/**://*.lightning.force.com/**://*.my.salesforce.com/**://*.visual.force.com/**://*.hubspot.com/*

Security Findings

9 findings

Data Exfiltration Risk

1 issue

Potential for sensitive data to be sent externally

LinkedIn Cookie Sent to Server

high

The LinkedIn session cookie ('li_at') is collected and POSTed to lemlist servers for enrichment and user update, enabling persistent external session linkage. ⚠️ [cookie sensitivity]

src/background.js
Line 69

Excessive Permissions

1 issue

Extension requests more permissions than necessary

Broad host_permissions Scope

medium

Extension requests access to localhost and multiple CRM domains, expanding risk surface. Review needed. ⚠️ [localhost exposure]

manifest.json
Line 105

Obfuscated Code

1 issue

Code is minified or obfuscated, making analysis difficult

Standard Minified Libraries Included

low

Includes minified versions of jQuery, Popper, and Tippy.js. No custom or suspicious obfuscation detected.

src/lib/jquery.js

External API Calls

3 issues

Extension communicates with external services

Unlimited Web Accessible Resources

medium

Wildcards in web_accessible_resources allow exposure of internal scripts/CSS to all origin contexts. Risky for embedded communications. ⚠️ [<all_urls>]

manifest.json
Line 80

Direct network calls to lemlist.com

medium

Multiple fetch calls to https://app.lemlist.com for profile enrichment and user status, including userId, cookies, and extension version. Sensitive linkage of external IDs and session.

src/background.js
Line 69

Network Calls in Content Scripts

medium

Content scripts enable fetch/XHR from context pages, with potential to send scraped/injected data to remote origins.

src/inject.js
Line 302

Internal API Usage

3 issues

Extension uses internal Chrome APIs

Use of chrome.storage

low

Persists extension state and context. Usage matches feature set.

src/background.js
Line 32

Use of chrome.tabs API

low

Controls/reloads tabs and sends messages in context. Expected for this extension type.

src/background.js
Line 18

Use of chrome.cookies API

low

Accesses cookies for LinkedIn to extract session and status. Aligned with enrichment features.

src/background.js
Line 24