Hacker News new | past | comments | ask | show | jobs | submit login

This is a huge problem for the extension ecosystem in general. Who originally publishes an extension may not be the same entity that is pushing you updates in two years time, and there's no way as a user to know this.

I publish a few extensions [1] [2] [3] and have been contacted multiple times by companies asking to buy them for several thousand dollars. They told me the going rate was 0.20 USD per user. You can imagine what kind of deals are being made when the extension has a million plus users.

When pushed for exactly why they wanted to buy the extensions, which are in no way monetizable, they gave vague answers about "user insights". I can guarantee there will be many other major extensions that have sold out their users.

[1] https://chrome.google.com/webstore/detail/old-reddit-redirec...

[2] https://chrome.google.com/webstore/detail/break-timer/hklkdb...

[3] https://chrome.google.com/webstore/detail/reddit-comment-col...

It's actually how I became active in the webstore.. Tab Manager was sold to some other company and filled with malware afterwards. It took the webstore team over a year to take it down.

Luckily enough the source code was still on github, and I managed to fork it and improve that version into "Tab Manager Plus" [1]

Since then I've refurbished around 10 extensions and published a few of my own. It's fun, just annoying that malicious extensions aren't getting taken down fast enough, since I suppose not enough people report them.

How to report malicious extensions is also sometimes unclear. Some people think they have to install them first, that's only true for ratings, not reports. For example to report the extension from this blog post you just have to submit this form [2]

For other malicious extensions simply replace the extension id in that link.

[1] Tab Manager Plus - https://chrome.google.com/webstore/detail/tab-manager-plus-f...

[2] Report extension - https://chrome.google.com/webstore/report/fjnbnpbmkenffdnngj...

On the other side of the coin, Firefox makes it quite hard to push updates to users that require more permissions, requiring manual intervention to update. It signifies this with a small muted yellow exclamation mark on the hamburger menu, which is really hard to see.

I've not received my own updates for weeks a few times because I haven't noticed the warning, and about a third of our users are on ancient versions presumably because of it [1].

I think the real solution to this problem is GDPR: massive fines if you abuse your users' trust (and get caught).

I'm not keen on the literal dark pattern that Firefox uses to dissuade developers from requiring new permissions.

[1] https://addons.mozilla.org/en-US/firefox/addon/tridactyl-vim...

Firefox (Chrome) should make it very easy for anyone to audit what extension/plugin are doing.

If url, div, cookies and any other info are collected, what are they?

What server connections are made by the extension, IP, Name, contents of info transmitted?

All the GUI, collection system should be in place as part of JS dev/debug tools already. Just customized it a bit so any tech savvy users can check the audit logs and enable more logging for a plugin if needed.

If an user spots something not right, it is also easy to out the "plugin/extension" on a public forum.

Actually, Chrome does this too:

> Chrome prompts the user if adding the permissions results in different warning messages than the user has already seen and accepted.[1]

[1]: https://developer.chrome.com/extensions/permissions

The thing with Chrome extensions is, many, many extensions already require the ability to interact with every page you visit, which is essentially Chrome extension root. If your extension already requires this, you don't need to add permissions when you update / sell your extension, so nobody is warned.

Firefox is in the right here. I absolutely do not ever want extensions to automatically get new permissions automatically just because I accepted an old version's lesser permissions.

If you want more permissions, then ask for more permissions.

And don't be surprised when people say NO.

Not everyone wants to grant the permissions to your update even if the update fixes bugs in older versions. Not everyone will want your new feature in the first place. Denying permissions is an easy way to eliminate the risk of having to go through and figure out whether or not the new feature is trustworthy.

And if you're not adding a new feature, then why do you need more permissions?

Automatic permission addition is totally unacceptable, agreed. But I do think that Firefox should actually ask, at least once. A vague exclamation point on the edge of the screen isn't really a sufficient way of handling that for extensions a user has chosen to add.

> then ask for more permissions.

I agree with you. As another reply to you states, however, Firefox doesn't currently let me ask. You have to kind of go hunting for it.

> And if you're not adding a new feature, then why do you need more permissions?

Firefox does not let me explain why the permissions are needed. It would be nice if we could have a little blurb where we can state our case next to each permission.

Our current approach is to explain likely upcoming permissions requests in advance and ask our users to stay vigilant for the appearance of the tiny yellow exclamation mark, but that's not very helpful to the third of users stuck on old verions before we learnt that trick.

> And don't be surprised when people say NO.

I think very few of these users have said no on purpose. We ask for (and use) almost everything [1], so any marginal new permissions are unlikely to give us much more power. The current permission model actually makes it tempting to just literally ask for everything because we might want it for a new feature in the future.

The optional permissions are not fine-grained enough to be useful (you can accept all optional permissions, or none) and not available for enough permissions, otherwise we would use them.

Also, the first versions of our software were really slow and bad. I really doubt many people are staying there on purpose. (If there are any Tridactyl users in this thread using an old version on purpose, I'd like to hear from you :) ).

[1] https://github.com/cmcaine/tridactyl/blob/e20a224fb8d8bbb2b7...

Firefox and Chromium are both open source. If you don't like the way it works, then work with the teams to build a better experience.

I can kind of understand that charge when it is levelled about people complaining about Quantum and doing nothing about it, but I already spend countless hours a week working on a replacement for an extension that died because of Quantum.

How much more time can I reasonably be expected to donate? Just trying to find duplicates on the BMO could take ages.

Complaining into the void on the internet takes much less time and makes me feel better :)

Maybe start pointing out how things are far too complex and work to reduce complexity instead?

New permissions shouldn't be taken lightly. One day you'll install an extension that access only on a specific site, and the next day it's requesting access to all your bookmarks, location data, history etc. If you make it into a next next next dialogue box you're implementing an easily abused dark pattern.

A better approach would be to allow extension upgrades, irrespective of permissions. If a user chooses to deny permissions the extension should still work on the latest version.

Why not just return empty datasets to extensions that ask for too much? Empty history, empty address book, white noise for camera and microphones, etc. Then it would be possible not only to ‘accept’ what it does or uninstall, but seamlessly deny what you don’t want.

Yes, agree!

I also have been contacted many times, and offered 1-3k for an extension I have with about 15k users.

The extension has a backend API and web service which is required for the extension to work, not once has a buyer asked about acquiring that. They only want the extension and literally have no understanding of how it works or what it does. Their intent is obvious.

SimilarWeb and Jumpshot are the major clickstream companies that buy these extensions. One way to see whether an extension mines your browsing history is to use a tool like Fiddler to sniff out the outgoing requests.

One sneaky way to get back at them is to send a bunch of fake “poison” requests with fake data back at these guys. It probably wont hurt them but if enough people do it, it might make their data worse and make their operation unprofitable.

This issue stands for apps as well. I once had someone try to buy [1] my popular Android app just to replace it with malware which would then be pushed to users through an innocuous update. What's so interesting to me is that there's no good way to prevent or even detect this.

[1] https://willrobbins.org/a-clever-malware-tactic-and-why-ther...

I realize this is bad, but what happens to the user data exactly? I mean can someone here paint the bleakest, most dystopian possible use or future?

The dystopian scenarios are fun to think about, but realistically speaking what happens is your data is used for market research. The vast majority of it is used to curate your advertising profile more effectively or to generate financial insights about companies based on consumer habits.

In my experience anonymization is hit or miss, but ostensibly always in place.

It gets sold to private investigators and insurers, and you shouldn't have ever Googled for "alzheimer disease symptoms" and you lose your child custody rights after a judge decides what you're looking at on YouPorn isn't sufficiently healthy.

Build a social/interaction graph and fill everything with Ads while selling the same information to intelligence agencies. No discretion. Only money. Nothing personal, it's just business. Sounds familiar? Facebook invented that already.

A lot of people focus on how this information is used by advertisers, which can be a problem, but in my opinion the bigger issue is how data brokers are starting to act like completely unregulated and sometimes highly inaccurate credit reports.

do you mean the data is actually used to determine the credit of a business/individual?

Those two reddit plugins are great, particularly the comment collapse one. I'm used to using the appolo reddit app now and I love its collapse feature (the native reddit one sucks).

Installed and will be using both. Please don't steal my data!

I disagree. Every time an add on is updated in FF I get directed to the patch notes. RTFM.

This is absolutely not universally true.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact