
Adware vendors buy Chrome Extensions to send ad- and malware-filled updates - hollerith
https://arstechnica.com/information-technology/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/
======
bradknowles
It’s a good point to be aware of and to raise from.time to time, but the
subject line should be amended to indicate that this article was written in
2014.

------
ChrisAntaki
Yeah, I have a Firefox extension with around 50k installs, and get emails
every so often from people offering to monetize it.

Here's an excerpt from a recent one, from Nick at NJB Brands Sales:

> We offer .50 CTR (per 1,000) traffic and can use each unique IP up to 10
> times a day. There is no limitation to what we will purchase other than the
> cap per unique IP. We offer flexible payment options via PayPal, Bitcoin,
> WesternUnion or Check. Payment can be done every 1 day, 7 days or 30 days.

~~~
erikrothoff
Ha! We got the exact same message. Really weird getting a glimpse of that part
of the internet.

------
posnet
I have a relatively popular novelty extension and I get approached by ad
companies to buy/monetize it regularly. I refuse, because I despise
advertising and I don't need the money. But I suspect I am in the minority and
that many extension owners probably just decide it is easier to sell it and
not think about it.

~~~
tobyhinloopen
How much did they offer?

~~~
posnet
Anywhere from $2-25k. But most don't give a price upfront and I just send it
to my spam folder.

------
tux
Use uBlock Origin [1] and uMatrix [2] instead. Also using Inox [2] browser
helps too.

[1] [https://github.com/gorhill/uBlock/](https://github.com/gorhill/uBlock/)
[2] [https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix)
[3] [https://github.com/gcarq/inox-
patchset/releases](https://github.com/gcarq/inox-patchset/releases)

~~~
jwilk
Instead of what?

------
blendergeek
This is why RMS calls auto-updates "universal backdoors".

~~~
cpach
Most people would be screwed without auto-updates.

------
jackvalentine
From the article:

> "Update: Google got back to us, and stated that Chrome's extension policy is
> due to change in June 2014. The new policy will require extensions to serve
> a single purpose."

------
krsdcbl
It appears to be an easy way to at least weaken this practice:

Why doesn't chrome prompt it's user / demands a confirmation of permissions
when an extention changes ownership, before updating it again?

It could at least impact the rentability of this buying up of extentions, but
definitely help alert users of such things

~~~
RobLach
How would they know it changed ownership?

------
voltagex_
(2014)

------
dotmanish
Still a large risk, even though this was authored in 2014.

I would be surprised if extensions that "read and change content on all
websites you visit" haven't yet been used in some wide-scale account/identity
compromise without making much noise.

------
codedokode
That is why I never install browser extensions.

~~~
abecedarius
Do you live without adblock?

~~~
yareally
Host blocking at the OS level. No need for extensions.

~~~
dest
Sometimes you need to temporary disable filters or edit them. How do you
manage that? Is it user-friendly?

~~~
yareally
Never ran into a problem really. Maybe a couple times a year I'll manually
open the host file and ctrl+f a host I need to comment out temporarily after
seeing it's causing an issue via the browser's network tools.

------
youseecomrade
Not even Firefox manually review extensions anymore. Sad, happened twice for
me (one was a cryptominer) so now I have like 2 extensions installed.

~~~
dblohm7
Not true. Extensions are still subject to manual review, however they are
permitted to be posted publically as soon as they pass a suite of automated
checks.

~~~
youseecomrade
You know what I mean. It's like checking for poison after you eat the entire
pie.

------
TazeTSchnitzel
(2014)

