
Malware alert: JavaScript Errors Notification extension for Chrome (86k users) - henvic
If you read the fine print at https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;javascript-errors-notifie&#x2F;jafmfknfnkoekkdocjiaipcnmkklaajd&#x2F;reviews you&#x27;re going to see that they collect statistics.<p>You may think it&#x27;s okay, not making a big deal of it, as most things like this anonymize data before sending.<p>Guess what? Not only it does send to a web service the links for images you access, but it goes as far as managing it doesn&#x27;t appear on your console and sends it over with HTTP.<p>This should be banned right now from the Chrome web store.<p>I don&#x27;t know if the authors are aware how insanely invasive this is, but you have to know it.<p>I have only noticed when I was using Charles Proxy to verify something and found some requests very odd.<p>I have reported it to the Chrome web store and hopefully they ban it asap.
======
fancoder
BTW, there is a paragraph in this Chrome extension description:

We are always trying to find a way to continuously improve JavaScript Errors
Notifier, thus we've chosen Fairshare and Intenta as our trusted partner,
which will collect the usage statistics from your browser. It's anonymous and
will not include any of your privacy data. We concern about your data security
as you always do. Please learn more about Fairshare privacy policy at
[https://fairsharelabs.com/analytics](https://fairsharelabs.com/analytics).
Anyway, there is also alternative extension version, that does not collect any
statistics: [https://goo.gl/IRbqnY](https://goo.gl/IRbqnY)

~~~
henvic
He said the same thing and closed the ticket on GitHub issues.

My answer to that:

"Your description there says it's anonymous and won't include any privacy
data. This is a blatantly lie.

People, just like me, will download and use it in good faith without knowing
it is sending all the links they browse to to your analytics web service with
a token to uniquely identify.

Of course you know you can retrieve personal identifying information on links
such as account ids, usernames, emails, purchase orders, photo links, and
more.

It's one thing to add such scripts to your own site. It's another to add a
script that inconspicuously sends private data for all sites you browse to the
analytics account of someone when you install an extension that has nothing to
do with it. And yeah, I know many - if not most - sites use some kind of
analytics service but they don't do like it.

non-https links will be even sent entirely unencrypted allowing man-in-the-
middle attacks as well (e.g., private network links might end up on the
Internet not only for you; and, of course, you always get the private
sensitive data you claim you don't).

PS: You certainly have an attitude problem. Trying to play down this by saying
you have something on the fine print and implying I am dumb? Really?"

------
henvic
More details: data is being sent to the host intenta.io over HTTP.

So I can see that it's an open source project and hopefully the developer
isn't aware of how invasive are the tracking mechanisms he's using.

I have reached the developer to ask him to fix it.

[https://github.com/barbushin/javascript-errors-
notifier](https://github.com/barbushin/javascript-errors-notifier)
[https://github.com/barbushin/javascript-errors-
notifier/issu...](https://github.com/barbushin/javascript-errors-
notifier/issues/28)

------
henvic
They got me there. This is the major reason I seldom use extension.

------
henvic
Google has policies for the Chrome Web Store and this extension doesn't abide
by it. I have highlighting just a few points below.

People usually are nice to each other and abide by them. This is why we can
have nice things.

# [Developer Program
Policies]([https://developer.chrome.com/webstore/program_policies](https://developer.chrome.com/webstore/program_policies))

1\. __We don 't allow unauthorized publishing of people's private and
confidential information __, such as credit card numbers, government
identification numbers, driver 's and other license numbers, __or any other
information that is not publicly accessible. Additionally, we don 't allow
items that collect, store, or transmit user credentials or other private user
data in an unsafe or unauthorized manner. __

2. __Spyware __, malicious scripts, and password phishing scams __are __also __prohibited in the Chrome Web Store __. Where possible, make as much of your code visible in the package as you can. If some of your app 's logic is hidden and it appears to be suspicious, we may remove it. 3\. __Your app must comply with Google 's Webmaster Quality Guidelines. __4. __Don 't misrepresent the functionality of your app or include non-obvious functionality that doesn't serve the primary purpose of the app without clear notification to the user. __5. __Forcing the user to click on ads or submit personal information for advertising purposes in order to fully use an app or extension provides a poor user experience and is prohibited. __

# [Webmaster Guidelines: Quality
guidelines]([https://support.google.com/webmasters/answer/35769?hl=en#3](https://support.google.com/webmasters/answer/35769?hl=en#3))
__Don 't deceive your users. __

# [Unwanted Software Policy]([https://www.google.com/about/company/unwanted-
software-polic...](https://www.google.com/about/company/unwanted-software-
policy.html)) __We’ve found that most unwanted software displays one or more
of the same basic characteristics: __

* It is deceptive, promising a value proposition that it does not meet. * It tries to trick users into installing it or __it piggybacks on the installation of another program. __* __It doesn’t tell the user about all of its __principal and __significant functions. __* __It affects the user’s system in unexpected ways. __* It is difficult to remove. * __It collects or transmits private information without the user’s knowledge. __* __It is bundled with other software and its presence is not disclosed. __

