> In other words, there a great many developers who are likely to be open to someone else buying up their creation along with their user base.
As a maintainer of a relatively popular extension (hoverzoom+, ~360K users) I get business offers all the time [1]. A few of them are pretty good, actually. I'm not surprised that some developers eventually give up and take one of those offers. But I am surprised that there aren't more of these "under new management" extensions, or maybe we just don't know about them.
The Hover Zoom extension I'm seeing in the Chrome Store [1] refers to a prior version that was overrun by malware and removed from the store.
> This is an open source version of the original HoverZoom extension which is now overrun by malware and deleted from store. In this version all spyware has been removed, many bugs were fixed and new features were added.
Were you involved with the project when that all went down?
Do you think reporting these requests to the store(s) in question might result in investigation, or at the least, a list of suspicious investors to use to vet extensions/apps?
I don't think that would be useful, for two reasons:
1. What rules are being violated by these offers? It is what happens after the sale might break the rules but I can't report someone for having bad intentions.
2. I do not believe Google would be interested in spending even a minute of their precious human time to do any real investigation. If they can't automate the solution then they ignore the problem.
> 1. What rules are being violated by these offers? It is what happens after the sale might break the rules but I can't report someone for having bad intentions.
They might be people who were already banned for modifying other extensions into malware, back at it again on a new account. The hint that they're trying the same tactic might be enough to link their previous and new accounts, and then ban them again.
I moved from old HoverZoom to Imagus, wasn't aware a reboot of HoverZoom around, thanks for sharing. I'm curious how the sieves and also writing custom sieves compare, if anyone has experience with both.
Makes sense, recently had it break with a couple sites, and I noticed the seive is a big json file it downloads from its own server. Will try Hoverzoom+ and see how it goes.
Reminds me of Pirate Bay posting those DMCA emails or takedown notices. Of course not in the same league as random "Business Development" cold emails but it's interesting to public service.
Especially for other extension devs to see who may share similar experiences and helping exposing a pattern of waste-of-time proposals (which I think at that point over values any assumed privacy it was a cold email after all).
Yeah, knowing the financial incentives makes me very cautions about installing any new extensions. And even for the old extensions I check the recent comments from time to time to see if there's any suspicious new behavior.
I treat each and every Chrome extension as potentially malware, given that there are plenty of instances of legit extensions being sold and repurposed, and Chrome will silently install malware on my machine because of its auto-update-without-asking-or-verifying policy. I only trust a few, select extensions from large companies that hopefully won't sell them to a shady hacker.
I build my own personal Chrome extensions to be used only by myself and I treat them as potentially malware every single time I type `npm install`. If I built an extension to share, I would likely make it completely with vanilla JavaScript.
One approach would be to intercept your own traffic with Fiddler as a proxy for a few hours after installing and look for any nefarious requests. This is a pretty effective way to run a basic security audit.
Usually the activation criteria will be "Contact this server and see what it tells me to do".
An extension developer ought to know the exact purpose of every network request their extension makes, so inspecting network logs is indeed a good plan.
Just remember there are ways to detect if the developer tools panel is open...
> The extensions spoofed a range of consumer brands, including Adobe, Amazon, Facebook, HBO, Microsoft, Roku and Verizon
Does the Chrome store not require that the dev account associated with these extensions be on the official corporate domains? That would seem like an easy way to prevent spoofing of Fortune 100 companies.
It's the opposite actually, the Chrome store forces the use of @gmail.com addresses, so e.g. Microsoft is publishing Chrome extensions from addresses like legitmicrosoftapps@gmail.com or microsoftofficextension@gmail.com
This isn't my experience. I created my dev account years ago with a non-gmail account. Admittedly, it is a corporate account that is managed by google, but I don't think there was any step in the process that required this.
It's possible that things have changed since I created my account nearly a decade ago, or that somehow I got a pass because google manages my domain's email. But they definitely do not force @gmail.com addresses for all devs.
EDIT: See this Microsoft extension [1] for example. It shows @microsoft.com, which is undoubtedly not managed by google like my little old startup's email is!
> it is a corporate account that is managed by google
All the counter-examples I could find in the linked thread are Google Mail (for Business), which is functionally the same as requiring a gmail account in that it requires Google to be your mail-provider.
You can also create a Google Account using a non-Google e-mail address, without any special Google Business thing. I did. I keep a Google account tied to my work e-mail address, but there is no Gmail account associated with this Google account. I can use Google services, but all my mail is on our corporate servers.
A lot of people in corporations set things up without necessarily understanding what they're setting up. This includes apps. If you're thinking, "Wouldn't Microsoft know how to set things up correctly?" the answer is "Not necessarily". It's not "Microsoft" setting up some app account, it's a random guy on a random team somewhere in Microsoft, who might not have ever published an app before, much less gotten any training or done much investigation into it.
It's because of that thread that people mistakenly believe you need a gmail.com address. A bunch of people in that thread guessed you needed a gmail.com address. Others immediately said no, you don't need it and showed examples.
But this is how misinformation spreads. Many people only read it and believe it without looking closer.
We just trust that other people know what they are talking about. :)
... Also I could be wrong, I'm trusting the counter examples in that thread. :D
You're not wrong, and it's easy to prove. Just go to the page where you create a new Google account, and select "Use my current email address instead". Then go to the page where you register to be a Chrome web store developer. You won't see any option forcing you to create a @gmail.com address.
The trust industry is awful and somehow Google and Apple came up with worse versions.
Simple domain validated publishing similar to Let's Encrypt would be way better for devs and users, but that would require Google and Apple to give up control and that doesn't happen in monopoly markets.
Edit: And Microsoft. Between them those 3 companies are the gatekeepers of almost all (signed) app distribution.
> And? I'm assuming you're not saying "software should not be signed", in which case I'm missing your point.
You're right. I'm not saying "software should not be signed". What I'm saying is the current trust industry is providing almost no value.
When I run an application on Windows that passes SmartScreen, all I know is that some company somewhere paid for an EV code signing certificate. In most cases, I don't know who the company is and don't have a way of finding out. That doesn't benefit me at all and most normal users misunderstand it to mean the company is trustworthy when that's not the case.
I've seen enough malware and adware signed with EV certificates that I personally place their value at zero. That's also influenced by my own experience in getting code signing certificates where the process used by CAs for identity verification are not anything official, but seem to be a rigid checklist of items that needs to be followed by someone with no cultural or local knowledge of my jurisdiction. IE: Easy to game once you know the process.
So, for me, the way code is currently signed tells me that someone had $2k USD to start a company and buy an EV certificate. That's it.
When I say that simple, domain validated code signing would be more useful for devs and users, I mean that I'd prefer to have the (ex:) UAC prompt tell me "This application is distributed by example.com" rather than "This application is distributed by Example XYZ LLC". I have a much better chance of determining the trustworthiness of the signer by knowing their domain than I do by knowing their registered business name.
And when I say Google and Apple are worse, I mean they've created systems that are completely opaque. It's "trust us" and they've both demonstrated repeatedly that they aren't worthy of being trusted.
As a specific example for Apple, there was a fake Fall Guys app on their store when it was at peak popularity. The fake app used the IP of the real one to trick users. Starting with the assumption that Apple's capable of ensuring that doesn't happen, you assume it's a legit app. If you expect to see what "website" (aka domain) is distributing the app it gets much easier.
Distributed by fallguys.com vs distributed by fallguysapp.com is the worst IP squatting you'd see and I could visit both sites if I wasn't satisfied enough assuming the more valuable domain is the real app creator.
In addition to that, IP squatting via a domain has a well established set of rules for trademark disputes, so a publisher can take action immediately to protect their trademarks rather than begging Apple or Google to take down a fake app.
The problem with a "good" system is that Apple, Google, and Microsoft have to give up control in order to let publishers self police their IP / trademarks and none of them will do that.
IMHO, anyone doing curation should be liable for IP theft and trademark violations. I have that opinion about _all_ online providers. As soon as they start curating or moderating they should be liable as if they're a publisher / distributor.
Five years ago I had a whole bunch of extensions, but that ended whenever it was that I first learned that there were bad actors buying legitimate extensions from their developers and filling them with malware. After that I dramatically reduced the number I had installed, down to basically a password manager and ublock origin. The brief install-time vetting I used to do would would do nothing to prevent an auto update from installing something malicious in the future. Nowadays malicious browser extensions are the most common thing I find on family and friends' computers when I'm helping them with an issue.
Can confirm. As a dev of an extension with 10k users I get 3-4 emails a month in my spam which ask me to monetize my extension by secretly changing its users' search engines. My extension is open-source and quite small, but if the change was sneaked in I think most of the users would not notice. I stick to using userscripts for the most part since you can easily check their downloaded source and disable updates.
Example:
Beth Anderson <beth@monetize-extensions.com> Mon 10:58 AM
To: Mostly Spam <dev@x-ing.space>
Hello
I am Beth and I am offering monetization for browser extensions, with everything that is going on our team was extremely focused and productive in creating a way to earn revenue on extensions.
We offer to change default search to Bing or Yahoo on your extension which can earn up to $800 a month per 5000 users. This is a premium product by invitation only and can easily be added to your chrome extensions.
You are might curious to know if it is allowed? And I must say that this is completely allowed! Please reply to this email to discuss this further!
Open source doesn't solve it completely.. What you have in repo and what is published doesn't have to be the same thing. Unless people are doing the extra effort to compare them, which is extremely rare unless its quite popular. I've seen this happen a few times.
"You are might curious to know if it is allowed? And I must say that this is completely allowed!"
I feel like this would make a great corporate logo for a discount legal firm on It's Always Sunny In Philadelphia that Charlie would start when high on Elmer's glue.
I had this amazing extension for Google play music. it had cover art and some great hot keys. I noticed a bug with it pulling low Rez cover art sometimes so I tried to see if I could fix it in the source code. The GitHub repo was not public anymore, so I made the changes locally and it worked.
I emailed the dev (his email was on the about section of the extension). He told me that the code was no longer public because he was selling it to someone else that wanted to take it over. I had all kinds of red flags from this, so I uninstalled it right away.
Ublock origin and https everywhere improved security by removing deceptive advertisements masquerading as legitimate on search engines and freeware download sites. https everywhere prevented some forms of https downgrade attacks. Also ublock has an option to remove webrtc IP leaking.
I'm not sure what you mean by non-malicious extensions being intrusive. I use a number of extensions, mostly content-blocking and privacy-related and they mostly just get out of my way. The Firefox Extension Store also has a recommended extensions feature that shows that the extension has been reviewed by Mozilla for privacy and security. Most extensions I use have this seal.
Yeah, I get that, but it seems to me like that's worse than the security model for any non-containerized application. If you don't trust the author there really isn't much there that will protect you.
That's fair, but my browser has permission to access my data for all websites, and uBlock Origin probably has my best interests in mind more so than Google Chrome.
It’s one of the nice things about brave: it had privacy features built in that you would otherwise need a dozen extensions by various people to do the same. It seems like the built in tracking protections in Firefox have caught up a lot though, I’m not sure if the extensions are as necessary now
Indeed, it's more required if you're a web developer. Extension to capture whole screen (including scrolled screen), color picker, ruler, even magnifying glass are the ones I usually use.
Of course there are, but the point is, you can not really trust any of them. Today they will be very useful, tomorrow they may be malware, and there is no way for you to know or protect yourself.
This is true of anything you find on github as well.
Open source works on the idea that "given enough eyeballs, all bugs are shallow." The thing people forget is the "enough eyeballs" part. As if people are sitting around auditing every sub-dependency of a sub-dependency of React.
In addition, I don't know of any package repository that requires the authoritative source[1] from github to match the compiled/minified/etc. package that is uploaded and published. And I suspect most repos are vulnerable to this.
There are many popular but unloved packages out there.
[1] I'd also point out how incredibly stupidly dangerous it is that the open source community has basically given Microsoft the keys to be the authoritative source for all of open source. No one has learned a damn thing. And, somewhat ironically, Microsoft buying out an entire user base for their own nefarious purposes really fits the topic at hand.
2) Recursive dependencies massively increase that risk.
3) You should check all your dependencies into your repo, or at least some kind of manifest with secured signatures of those dependencies, and never automatically update dependencies.
I see a few things that can improve this situation by quite a lot:
1) Languages should provide an extensive and expressive standard library of some sort, either one bundled with the language, or a tightly vetted and controlled set of first-party dependencies.
2) Package managers should not automatically resolve recursive dependencies, but should force users to manually add all dependencies of any dependency that is added. This additional friction would force you to acknowledge all the risk you are taking on by adding dependencies, and it would force the ecosystem as a whole to reduce the number of dependencies.
Linux users who install their apps via a package manager (other than, iiuc, AUR) have at least the vetting of a third party. And this is why a lot of work goes into reproduceable builds and minimal bootstraps.
Apps provided on any platform by major, trusted vendors are much more likely to be safe. Apple/Microsoft/Adobe might find themselves compelled to add a government backdoor, but they're probably not going to chuck in code to send your credit card number to the darkweb.
As for install random programs from unknown vendors on the Google Play Store, yeah, I'm a bit nervous about that. It would be nice if we could manage trust on such platforms in some way, but all we can do is hope to be on guard at all times. Google clearly doesn't care if you get hacked by a third party, as long as they don't do it directly.
Web browsers do a lot of sandboxing to prevent outside tampering by other applications. Your secured content is encrypted by HTTPS between the server and your browser... but extensions sit inside the browser sandbox, often with full access to your decrypted web traffic.
If most of your secure information is handled via web browsers, as is usually the case today, extensions are drastically more risky than arbitrary software, because of the privileged place in the stack they operate.
not the person you are replying to, but for me, it applies the same. I only have uBlock Origin and password manager for extensions, and my phone has very few apps. I don't trust other devs to not succumb to temptation, so I don't use their apps. It would not be difficult for me to give up the smart phone for a feature phone.
I have a chrome extension with about 30k users and have always felt like the chrome web store feels sketchy and frankly dangerous. Particularly when dealing with extensions that offer highly desired features on hugely popular sites, e.g. 'download all images off a user's Instagram'. It's ripe for abuse, especially luring in hundreds of thousands of users when the extension is 'fine' then switching over to something not fine.
There are two things that I think would be beneficial: allowing users to easily disable the extension from automatically updating, and allow users to be able to see the source code of the extension directly in the chrome web store. I hope they already have some kind of internal monitoring system for their reviews to set off an internal alert if someone says 'malware' etc and to investigate further.
> Additionally, Google’s account recovery tools indicate many different developer email addresses tied to extensions reviewed here share the same recovery email
What?!? This work was done by an independent researcher. Why is google providing account recovery emails to the general public (and therefore attackers)?!?
Edit: fixed typo; replaced “recovery passwords” with “recovery emails”
Often, account recovery reveals something about where the email will be sent but with some characters in the email redacted. Maybe that’s what’s happening here?
You are correct. Using the "forgot your password" function on Gmail often reveals snippets of the email account used for recovery and authentication of that account.
> Why is google providing account recovery passwords to the general public
It doesn't refer to passwords but email addresses.
And Google doesn't have to provide them even the actual address for them to determine that they are identical, they just need to provide something that maps 1:1 with the email, without the mapping.
This thread exposes the challenge of running a business based on a Chrome extension. On the one hand, most users are not savvy enough to install extensions or even understand what they are.
On the other hand, someone who is very savvy knows that the permissions required by many/most browser extensions create an opportunity for massive privacy intrusions and security risks.
It's hard to create a business aimed at people who are savvy enough to know what extensions are but not savvy enough to realize what a huge risk they represent.
note: it's also possible to sell to super-unsavvy users, who do not know what extensions are but are willing to install them anyway.
I would pay for a service that reviewed the source code of my extensions (and other installed software) and stamped each specific version as being OK. Then I'd configure my browser not to update an extension to a new version until the extension-verification service had read through the code of the update and okayed it.
Granted, such a service wouldn't have the resources to review all extensions, but it could probably handle vetting the most popular and updates to those popular extensions. I can even imagine some kind of market that would let a group of people get this service to begin vetting a new extension.
Here's a funny story: I was once looking for a figurine online that was sold out everywhere apart from one internet store. So before giving them my money I read some of the reviews.
All seemed good and it appeared that people from all sorts of places had been their customers, until I saw one particular review. It was in Latin.
Any of Google's thousands of staff could have done this trivial research, too, but apparently it's no one's job over there: just like detecting the hijacked verified Twitter accounts that reply to almost all Elon tweets with cryptocurrency scam links that any non-Twitter person can find in 100 seconds, or the antivax hashtag spammers on Instagram, etc.
These companies are very bad at being proactive in enforcing their published policies.
That was my reaction as well. If an external independent researcher can do this, Amazon, Google, and other big platforms surely have enough resources, smarts, and full access to all the data to identify and eliminate bogus accounts, shill reviews, and scammy or counterfeit products. Yet they don't do it.
Reviews are mathematical garbage even there are real reviewers because we all have different expectations and it varies completely across cultures and geographies.
Reviews are subjective and qualitative data. Math deals with objective and quantitative data. It’s no surprise that shoehorning the former into the latter is a highly non-trivial problem, that even the best minds in the tech industry struggle to solve for their use cases.
I once watched a movie where the rating was "do you like the item on the left more than on the right". I'm not sure if it is mathematically possible to create a rank from it. I assume, that new items appear and have less comparisons than others.
That works when judging aesthetic, but how would that work for extensions though? You can only really judge extensions you have used, and even then how would you choose between your adblocker and your password manager? They do completely different things and I'm not willing to browse without either.
edit: I guess the signal "I tried this extension but replaced it with that other one which I like better" would be very informative though
I once helped develop a "survey" for a nonprofit org, which wanted to gain some insight on what they were doing well and what they could improve. One of the other people involved kept insisting on reducing the number of questions and complexity of the ratings. He said it all boiled down to one basic question, "would you use this service again" and while we didn't quite get that simple, in retrospect I think he was more right than wrong.
Maybe a boolean "would you buy this product again" is the basic question for a review. It's still open to being gamed, but only in one way.
Coming soon: consulting firm uses this technique to build a training set of fraudulent reviews, builds review fraud detector that doesn't take metadata into account and discriminates against elderly people and non-Western reviewers.
In all seriousness, this is a really interesting technique. Maybe there are analogues for other fake/bot behavior in other contexts.
Ah, this takes me back! On my first job, our CEO asked me to look at some fraud transaction data from an airline and use a graph database to gather some insights from it. His idea was to show that to some executives from the airline as a prototype to get some buy-in to build a fraud detection tool from them.
The data source basically contained account IDs, billing addresses, credit card hashes and whether an account was identified as fraudulent or not.
Using that data, I built a quick GraphDB prototype that showed clusters of fake/fraud accounts. It was simple stuff, but back then said execs were pretty impressed.
I don’t know what came of that because I left shortly after, but it was an interesting little experiment. I had fun building it!
I live in the Netherlands. We speak dutch. This makes it quite handy to pick fake reviews since these are (almost) always bad translations. Why does no one look outside the main language areas and compare these? Most reviews are on global stuff anyway.
My team recently built a Chrome extension and expected to be grilled on permissions. We sailed through despite requesting access to all sorts of things. Their vetting seems strict from the outside, but does not seem like it after going through the process.
It's possible they are more focused on extensions with lots of users. My extensions with tens of thousands of users have been under increased scrutiny in the last year or two, and have had several false positive issues arise, which has been frustrating.
Clarified with an edit. What I mean is that they require you to write up all sorts of justifications for permissions and be very specific about use cases in the submission process, but they didn't have a single comment about any of it, despite our application requiring a lot of invasive permissions. They also approved it very rapidly.
It is possible that we just did a really good job on the justifications, but I have never had a store submission come back with no required changes or clarifications outside of Google.
Were these reviewers only leaving reviews on spoofed extensions? Seems like it’d be trivial to mix in positive reviews of legit extensions, making the trail harder to follow.
As a maintainer of a relatively popular extension (hoverzoom+, ~360K users) I get business offers all the time [1]. A few of them are pretty good, actually. I'm not surprised that some developers eventually give up and take one of those offers. But I am surprised that there aren't more of these "under new management" extensions, or maybe we just don't know about them.
[1] https://github.com/extesy/hoverzoom/discussions/670