
Think Twice Before Installing Any Chrome Extension - arpitnext
http://blog.arpitnext.com/2011/08/chrome-extension-awesome-screenshot.html
======
joel_liu
Hi, This is Joel, the developer of awesome screenshot the article mentioned.
First of all, I apologize for what I did for it in the last version a day ago.

I'd like to share with you my intension for this amazon + google search
feature.

1) It's from my need. When I search some shopping items from google, I always
want to check them in amazon also.

2) It can help us make small mount of money.

3) I provide an option to disable it.

However, I did it in a wrong way. I should did it like this: 1) Disable it by
default. 2) Ask user's permission to enable it 3) Tell users why we add it.

I did it wrong but still respect users. This feature exists only one day and I
removed it in the new version(3.2.1).

~~~
stanleydrew
You should be more honest and re-order 1 and 2. Putting affiliate links into
Google search results isn't even in the same category as taking a screenshot
of a page. Why "scratch that itch" in an extension that is completely
unrelated unless your primary interest was to make money.

Now there's nothing wrong with making money, and I don't even disagree with
the way that you attempted to monetize the awesome screenshot extension (via
affiliate links). But be honest with users about your motivation. Most will
understand.

------
laxk
The answer from the developer of Awesome Screenshot:

    
    
      ===
      Developer 1 hour
      @All, since many of you don't like this feature, we removed
      it in the version 3.2.1.
    
      ===
      Developer 39 minutes
      @All,
      Hi All, This is Joel, developer of awesome screenshot. I am so sorry to add 
      the amazon search result in google search result page without info 
      our users first. It's such a bad decision.
    
      This additional features was designed to scratch our own itch. Because when 
      I search some shopping items in google, I always want to check them 
      in amazon at the same time.
    
      In the spirit of transparency, we should disclose that this feature 
      does bring small amount of revenue to us, which enables us to continue 
      to improve this product. Since so many users don't like it, 
      *we already updated a new version(3.2.1) to remove this feature*.
    

I think they should make this feature optional and disabled by default.

~~~
SoftwareMaven
Nobody would ever see it. Enabling new feature discovery in software is a very
hard problem. Just throwing in features and hoping people will find them is
not a good philosophy.

In this case, I would probably have shown it by default with text including
"why am I seeing this?" and a "don't show this anymore" button.

~~~
joel_liu
I provided a customize button beside the amazon search result page for users
to disable it. But it seems many users don't like it, so I removed this
feature completely.

~~~
SoftwareMaven
You are facing two problems:

1\. The feature is orthogonal to the plugin. Alone, you probably could have
survived this one.

2\. The feature came to light for many through negative press. With number 1,
that pretty much kills the feature in the current extension.

Rather than just killing the feature altogether, though, you could release it
as a new extension. Add a couple other ecommerce sites and call it a shopping
assistant.

~~~
joel_liu
Thanks for your suggestion. I will release it as a new extension if I have
enough time.

------
asknemo
Can't help casual users, but for power users, this is a very handy tool to
inspect the source on-the-fly:

[https://chrome.google.com/webstore/detail/bbamfloeabgknfklmg...](https://chrome.google.com/webstore/detail/bbamfloeabgknfklmgbpjcgofcokhpia)

~~~
troels
Ah yes, but how can I trust that "Extension Gallery and Web Store Inspector"
is safe to install?

~~~
RyanMcGreal
Obligatory: <http://xkcd.com/250/>

------
monochromatic
Apple's solution has taken a lot of flak over the years for its audit process
and some pretty arbitrary rejections, but if this is the alternative...

~~~
icebraining
The best alternative is AMO; the testers are extremely helpful, explaining the
problems and giving tips and links to help you improve the extension.

------
Triumvark
Anyone could review extensions in Chrome's gallery and provide a seal of
quality or recommended avoid list.

With Chrome's model, competing groups with different priorities could
recommend different sets of apps to use or avoid, just like competing review
magazines for consumer goods.

Mozilla's model invites pressure from DHS to kill specific apps the government
doesn't like. So far Mozilla has rejected calls to kill extensions that help
circumvent state sponsored blacklists,* but for how long?

As Google learned in China, if there is a technical measure which could
hypothetically suppress speech, then some government will eventually demand
its use.

* See "MAFIAAfire"

------
Tichy
While I don't like the Awesome Screenshot approach, high profile startups like
Posterous seem to take a similar approach (stealthily rewriting links in blog
articles) and hardly anybody from the tech elite seems to mind.

~~~
joakin
Please, Would you mind explaining that? Or giving link to info?

~~~
Tichy
Another reply to my comment has a link:
<http://news.ycombinator.com/item?id=1309403>

------
whileonebegin
I think the title of this post is too alarmist. Chrome makes it very easy to
install or remove apps, unlike traditional desktop applications.

I recently released a Chrome Extension myself
[https://chrome.google.com/webstore/detail/ifhpbfmklgecpflbnb...](https://chrome.google.com/webstore/detail/ifhpbfmklgecpflbnbamoahdeabljgfi),
and was surprised that Google requires a $5 payment from developers,
supposedly to prevent malware and spam, even though most extensions are free.
I suppose Google largely counts on ratings and comments to moderate content.

------
swombat
What's the technical term for this?

Ah yes. I remember: "pretty fucking bad, man".

If the Chrome team also have access to the source of these plugins, it seems
pretty irresponsible that there's no audit process whatsoever. There should at
least be random audits, particularly of popular applications.

~~~
sp332
That really is the least they should be doing. For contrast, here's Mozilla's
policy for addons.mozilla.org: [https://addons.mozilla.org/en-
US/developers/docs/policies/re...](https://addons.mozilla.org/en-
US/developers/docs/policies/reviews)

Chrome supposedly has a better security model (not to say that FF's is bad),
but if it gets in the way so much that users are in the habit of allowing all
extensions access to everything, then it's not really better.

~~~
mbrubeck
And specifically, Mozilla's review process includes a "No Surprises" principle
that covers cases like this one:

<https://blog.mozilla.com/addons/2009/05/01/no-surprises/>

 _"Changes to default home page and search preferences, as well as settings of
other installed add-ons, must be related to the core functionality of the add-
on. If this relation can be established, you must adhere to the following
requirements when making changes to these settings: The add-on description
must clearly state what changes the add-on makes. All changes must be ‘opt-
in’, meaning the user must take non-default action to enact the change.
Uninstalling the add-on restores the user’s original settings if they were
changed."_

------
nathanuk
A few months ago I discovered a similar situation with a very popular
extension (300,000+) users. It removed facebook ads, and injected it's own.
After a quick search, I found 4-5 others that were doing the same. Took Google
over 3 weeks to remove them.

[http://www.reddit.com/r/chrome/comments/gpwqc/caution_auto_h...](http://www.reddit.com/r/chrome/comments/gpwqc/caution_auto_hd_for_youtube_extension_is_now/)

------
iand
Sounds like an opportunity for a startup based on rating, review and
certification of chrome extensions. I'd pay for peace of mind.

------
stanleydrew
Also, think twice before visiting any website. A web browser can be used for
many things. Some of those things (like running extensions, or visiting web
pages) have the potential to deliver malicious code to a user's machine. It is
not Google's responsibility to police the content of the web, or the content
of Chrome extensions. Although one could argue that it would be wise for
Google to use its vast resources to provide recommendations/warnings on
extensions, similarly to what it does for links in Google results that it
suspects are delivering malware.

~~~
angelbob
Sure, but browsers work hard to keep web sites from doing arbitrary things to
your computer, and mostly succeed, most of the time.

It's also a huge deal when they fail.

Extensions get extra permission to do stuff, so it would be nice if they got
extra auditing or restrictions.

------
jscheel
Odd, I've had that extension installed for a while now and have never had any
of those amazon ads inserted into my content. Uninstalling awesome screenshot
just to be sure.

------
samstokes
So in principle the Chrome gallery has the tools in place to prevent these
abuses. The extension listing page states what permissions the extension will
have (if it says "access all web pages", then you certainly should think hard
before installing it!), and the user reviews and ratings mean users can call
out bad behaviour (like this sneaky affiliate link adding) and warn other
users.

Unfortunately both of these things are pretty broken in the Chrome gallery at
present. The warning about what the extension can access is fairly muted, and
you have to _notice_ and _read_ it - unlike when you install a Facebook or
Android app, when the permission dialog interrupts the install flow so you
have to at least _see_ it before you can install. And the implementation of
user reviews is terrible - there's no way for the extension author to reply to
a misinformed or misleading review, except to leave his own "review" (yes, you
can review your own extension).

~~~
extension
The "access all pages" permission is required for "content extensions". That's
any extension that interacts with web content. They can limit themselves by
domain, but that's it.

Even simple UI tweaks, like changing how scrolling works, can often only be
implemented by injecting into every page. Since Chrome doesn't understand the
meaning of any web content, it can't pick and choose what an extension has
access to in any useful way. As a result, the permission model is just not
terribly useful for extensions, besides the site-specific ones.

Also, last I checked, reviews worked essentially like comments and I could
effectively reply to issues on my extension's page. Maybe that has changed by
now.

~~~
samstokes
There's a big difference between "can access your data on domain.com" and "can
access your data on all websites". (And not all extensions need to modify
pages, even Chrome ones.)

I didn't say you shouldn't install extensions that require content privileges
(indeed I would highly recommend that you install at least one [1] [2]); just
that you should do so with care, and decide whether you trust their authors,
because of the broad access they have. The advantage of the Mozilla approach
of reviewing every extension is that they (partially!) offload some of the
trust decision from the user onto the reviewers.

As I said above, you can respond to a review with your own review, but that's
a broken way of doing it: the author's response isn't visually distinguished,
and there's no way to ensure it appears anywhere near the review it's
responding to, so there's a high chance prospective users will just read the
negative or misleading review without seeing the response.

(Concretely: someone can "review" your extension by saying "this extension is
evil and spies on all the sites you visit", and your only options as an author
are to leave another review halfway up the page saying "@anonymous: oh no it
doesn't", or to abuse the "mark review as spam" button.)

[1] <http://rapportive.com>

[2] Disclaimer: this recommendation is not without bias, given I'm part of the
team that develops this extension.

------
wesbos
Everyone has access to chrome extension source

------
dkokelley
I completely disagree with the conclusion of this article. Consider Apple's
App Store. Supposedly, the application and review process makes things safer
for end users. Unfortunately we've seen this is not always the case.
Additionally, Apple's policies have been harshly criticized by others as being
a walled garden that stifles competition.

Can Google really expect to keep an app like this from slipping through their
approval process? It's not like the extension runs and crashes Chrome while
sending your browsing history to DoubleClick.

I think a better way to approach this issue is to engage the users when they
install an app with flexible permission settings, by saying "These are the
things this app is allowed to do. If you don't want it to do all of these
things, you may uncheck specific permissions. Be aware that restricting this
extension may cause it to not work properly".

~~~
ootachi
That's a bad idea. People will always click through warning and permission
screens; increasing the complexity of warning screens simply increases the
likelihood that people will click through it without reading it.

------
Andrex
Extensions really can't do anything without specifying permissions explicitly
in their manifest. Those permissions are then shown to the user when
extensions are installed. I don't see the problem here.

And inserting links in a search results page is hardly the type of malware the
title of this article implies.

~~~
nitrogen
Hackers place a high value on veracity of information. Altering a search
result page without complete transparency ahead of time is not cool. Altering
a search result page in a way that filters money away to someone else is
exactly what some malware does.

------
meemo
Safari extensions too. I installed Dictionary by Slice Factory. Then, when I
was shopping on Amazon, I got a huge in-browser pop-up asking to help me find
products with the lowest price. They do have an opt-out feature, but it was
very disconcerting since initially I had no idea where this came from.

------
3pt14159
This is why I only use bookmarklets. I click they run. I don't click, they
don't run. Sure my Readability bookmarketlet might be collecting a couple of
links I have trouble reading, but at least they aren't doing anything
malicious when I'm not using them.

~~~
js4all
Plus, bookmarklets don't spawn an extra process.

~~~
ootachi
And they execute within the context of the page you're currently viewing,
which prevents malicious cross-site behavior like that of this extension.

------
nischalshetty
The developers of this app just lost a lot of trust! Be honest with your
users. That's the first rule of developing a good product. It does not matter
how much they apologize now, a lot of users aren't going to trust them
anymore!

------
plasma
Use Screen Capture (by Google):
[https://chrome.google.com/webstore/detail/cpngackimfmofbokmj...](https://chrome.google.com/webstore/detail/cpngackimfmofbokmjmljamhdncknpmg)

You can take the entire page, partial pages, redactions etc its fantastic.

No remote server needed either.

------
simonbrown
It's not the only one. Upside Down adds Viglink to pages (and mentions it in
the extension gallery page).

Allow copy-paste action on websites replaces the banner on LyricsFreak with
one for the author's website.

The Web Of Trust Firefox extension also adds "safe search" links to Google
results.

~~~
oroup
This is Oliver Roup, CEO of VigLink. Merchants generally offer affiliate
programs to encourage the creation of content discussing their products or the
development of services where such content tends to develop.

Extensions like this one have neither of these characteristics and instead are
seen as a "tax" by the merchants - they drive up costs without any benefit.
This is of course not welcomed by the merchants and as a result, VigLink does
not permit this type of use of our service.

The account this extension references was terminated quote some time ago, not
long after we discovered it. Although the extension continues to insert our
code (we cannot prevent it) we do not affiliate any clicks on the account and
the extension owner is making no money through VigLink.

Oliver Roup Founder / CEO, VigLink oroup@viglink.com

------
crazydiamond
Wasn't able to move to Chrome from Firefox. No proper replacement for
Vimperator/Pentadactyl. Vimium just doesn't cut it. Doesn't work on all pages,
often stops working. Any chrome users here who use vimium (vim bindings) who
might share some inputs?

------
aklemm
I wondered where those Amazon ads were coming from! This is definitely shady;
to have websites modified without your knowledge is unnerving. With such a
successful extension, there must be a better monetization idea than tricking
users.

------
vertice
use the source, luke.

~~~
chico_dusty
So you figure Chrome should only be used by neckbeards capable of
understanding the source?

~~~
dangrossman
Can we not start using that term here?

------
niyogi
this coming from the guy monetizing his site with with obnoxious google ads
and hover-over links.

------
gcb
Why is everyone treating this as something new?!?!

you run code on your machine, you have to trust it.

Heck, i don't trust even stuff i download from the app store! and I still
limit the talk of my wii with nintendo servers on my router.

the chrome extensions just add a little insult because it 'seems' official or
something. Much better the grease monkey way, full of warnings so the user
remembers that he has to think for himself.

------
crizCraig
There should be a permission for contacting external sites. That's where the
biggest security threats lie and most extensions, like a screenshot extension,
don't need to be making requests to other sites (like Amazon).

~~~
aboodman
There is. This extension requests the permission.

~~~
crizCraig
The extension requests permission to access "Your data on all websites" and
"Your tabs and browsing activity". I guess what I'm saying is that there
should be a distinction between permissions for accessing stuff in the browser
and accessing external data through AJAX and other resource requests. Besides
cutting off extensions themselves from the outside world, Chrome would just
have to prevent extensions from injecting scripts or elements that made
external requests into loaded pages by disallowing <script>, onclick='',
src='' etc... from being added to the HTML and DOM of those pages.

~~~
aboodman
I'm not sure I follow, but Chrome does allow developers to request those
privileges separately. This developer just requested both.

~~~
crizCraig
For example, say you wanted an extension to be able to take a screenshot of
Amazon, but not get access everyone's private data on Amazon. This is not
currently possible in Chrome. To get the screenshot, you need to allow access
to Amazon.com in the permissions list of the extension config, i.e.
manifest.json. This, however, gives you permission to request resources from
Amazon that the user did not load into the browser, like all their previous
purchases. And if there's another URL in the permissions list that the
extension developer hosts, they can set up an API for the extension to phone
home the users private data on Amazon.

Here's a sample that demonstrates this:
[http://src.chromium.org/viewvc/chrome/trunk/src/chrome/commo...](http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/examples/api/tabs/screenshot/manifest.json?revision=88353&view=markup)

Note that "tabs" and "code.google.com" must both be listed in the permissions.

