
Breaking Down the Chrome Web Store - flysonic10
https://extensionmonitor.com/blog/breaking-down-the-chrome-web-store-part-1
======
typpo
As the creator of several popular Chrome extensions, once you reach about
10,000 installs people will start contacting you to acquire the extension. In
particular, I created a native ad detector that was briefly popular[1]. In my
experience, acquirers will go after extensions that have permissions to modify
any page.

My extensions were open source and had no clear path to monetization, so I can
only speculate on how the purchasers planned to recoup their investments. The
permissions in these extensions would allow them to inject ads or even collect
credentials, etc.

Not saying that the top extension developer does this, but people are
definitely making money by collecting innocuous Chrome extensions!

[1] [https://www.ianww.com/ad-detector/](https://www.ianww.com/ad-detector/)

~~~
AznHisoka
SimilarWeb and Jumpshot acquire extensions so they can gather data on the
websites you visit. They then sell this data to other companies for
marketing/intelligence purposes. I hope Google can close this loophole soon
(anyone from Google listening? _dustballs_ )

~~~
steve19
Chrome desperately needs a trigger whereby an extension can access a site's
data only if there has been an interaction such clicking a button on the
toolbar or the right click menu.

~~~
factsaresacred
It exists - activeTab:

> _The activeTab permission gives an extension temporary access to the
> currently active tab when the user invokes the extension - for example by
> clicking its browser action. Access to the tab lasts while the user is on
> that page, and is revoked when the user navigates away or closes the tab._

[https://developer.chrome.com/extensions/activeTab](https://developer.chrome.com/extensions/activeTab)

~~~
kevingadd
Part of the problem is that activeTab makes a ton of the things extensions
usually do impossible, so lots of extensions will keep requesting full
permissions. I'm not really sure how you fix it. Scoping to a list of domains
could potentially work, but adding new domains shuts off your extension so it
seems unlikely that anyone could do it when they could request wildcard
permissions at install instead.

In practice users want extensions to do stuff that implicitly violates
security boundaries, so I think making that stuff secure would basically
require Google to build it in. Like for example, 1password naturally needs
both a way to intercept entry of new passwords (to offer saving) and a way to
detect password fields and type into them. Detecting a password field means
you need to be able to scan the DOM and detect when the user is interacting
with the field. At the point where you can do that, you can snoop on the user
on an important page, activeTab or no.

If the Chrome Web Store offered straightforward ways to sell paid extensions
at least then there'd be less reason to embed malware in your extension
instead...

My extension (now removed due to legal threats and DMCA abuse) was originally
scoped to an application's domain, and then the developer added a new domain
so I had to update my extension manifest to add that domain. Doing so shut it
off for every user and I had to explain how to turn it back on. Given that
experience I should have just put a wildcard in the permissions instead, but I
underestimated how bad Chrome's extension infrastructure would be.

------
ajhurliman
Chrome extensions are such a massive vector for unwittingly giving away all of
your data. The fact that they're near impossible to monetize combined with the
fact that people click through the permissions screen so easily makes it a
prime target for scraping people's data.

~~~
egfx
If I could get 1/10th that many installs on [https://2fb.me](https://2fb.me)
I’d make a million dollars a month.

~~~
flysonic10
turns out 2fb.me redirects users to this PayPal page after they share their
twitter post on Facebook:

[https://www.paypal.me/qkast/2#_=_](https://www.paypal.me/qkast/2#_=_)

~~~
stronglikedan
Is this different than the myriad other FLOSS that has popups asking for
donations?

------
eternalny1
4+ million installs for "Search Encrypt" which seems to fill the 1/2 half of
the results page with advertisements.

But, you get the benefit of "SSL encryption".

The other features (don't save your search) just seem to make it a bad version
of DuckDuckGo.

~~~
ocdtrekkie
Search Encrypt is malware[0], and it's install base are generally not
consensual users. I've seen it around for a very long time, and Google isn't
doing anything about it.

New Tab-hijacking extensions are incredibly pervasive in the Chrome Web Store,
and often installed via malicious websites which use arrows and audio cues to
demand a user click the "Install" button Chrome pops up in order to resume web
browsing.

MapsGalaxy is another particularly pervasive malware offering:
[https://chrome.google.com/webstore/detail/mapsgalaxy/ijjnmdp...](https://chrome.google.com/webstore/detail/mapsgalaxy/ijjnmdphpnlnelhbhefnfmimenjgbfcn)
(Just adding this one here in case someone from Google sees this comment and
can nuke both from orbit.)

[0] [https://blog.malwarebytes.com/detections/rogue-
searchencrypt...](https://blog.malwarebytes.com/detections/rogue-
searchencrypt/) and any search result should give you some idea:
[https://duckduckgo.com/?q=search+encrypt&t=ffab&ia=web](https://duckduckgo.com/?q=search+encrypt&t=ffab&ia=web)

------
nbar1
The below information is incorrect. Chrome HD Themes has the most extensions,
not most downloads

Original comment: That "developer" is Chrome HD Themes and the extensions are
themes.

~~~
flysonic10
Yea, the title refers to the author that is prolific by installs (FreeAddon),
rather than the author that is prolific by extensions (Chrome HD Themes).

Chrome HD Themes has over 6k published extensions!

~~~
flysonic10
Just ran the query to find that Chrome HD Themes has only 51,724 installs
across now 6064 extensions.

------
kgwxd
If I had a browser that had the content-filtering power of uBlock Origin
(uncrippled) built-in but, to avoid conflict of interest, relied solely on the
community to build filters, I wouldn't even need extension support.

~~~
ummonk
I haven’t used it, but my understanding was that is exactly what Brave does?

~~~
pythux
That’s the goal, but they’re not there yet. Quite a few things are missing to
match uBlock Origin (Or other popular adblockers).

------
amelius
This website detects when I move my mouse towards the back button and then
shows a "before you leave ..." popup. Creepy.

~~~
flysonic10
It's an "exit intent modal"

------
flysonic10
Some other stats:

\- The most popular category is “Productivity” accounting for ~40k extensions
and 676M installs

\- Google itself authors 155 extensions accounting for ~133M installs

~~~
warent
Extensions are included in Chrome installation, so I can't help but wonder
what the actual numbers would be for Google extensions that don't do that.

~~~
flysonic10
ooo.. I'll get on that.

There are in fact 10 default extensions. Will filter them out...

~~~
flysonic10
Looked into this. Turns out that the default extensions report 0 installs, so
the original number is correct.

Though, the latest number is now ~137M installs.

------
stanislavb
I spent some time recently building my first extension ... and let me tell
you, it's not that easy promoting one at all :)

If you are interested, it might be helpful to you. It's contributing to the
winning "Productivity" category. It lets you see the competitors of almost any
software product. Contextually.
[https://chrome.google.com/webstore/detail/alternative-to-
by-...](https://chrome.google.com/webstore/detail/alternative-to-by-
saashub/bfllfmelefabahclnehpdocekedapcbj)

------
phit_
this seems to be incomplete? lots of popular extensions are not listed, or am
I misunderstanding what their top list is? e.g. RES with 2.2M users isn't
mentioned at all [https://chrome.google.com/webstore/detail/reddit-
enhancement...](https://chrome.google.com/webstore/detail/reddit-enhancement-
suite/kbmfpngjjgdllneeigpgjifpgocmfgmb)

~~~
Mathnerd314
They say the list is the most popular extensions by category. RES is in the
productivity category and presumably was omitted in favor of the 10 extensions
in that category with 10M+ users. And productivity is the largest category so
there are probably dozens more in the gap between 10M+ and 2.2M.

~~~
flysonic10
Yes, and since we don't have data past 10M installs for any given extension,
all of those are essentially tied for the top spot.

------
point78
The only important question is what is his revenue

~~~
flysonic10
...and where does it come from?

------
Ftuuky
Maybe some charts instead of just tables?

~~~
flysonic10
What would you like to see? I'll make some.

