A similar list was also posted by another extension developer a few months ago: https://news.ycombinator.com/item?id=25884338.
Another thing I'd note for context is that Hover Zoom probably has a pretty broad hosts permission in order to allow it to operate on many types of sites (my extension, which is a web analytics DevTools extension, also needs an all hosts permission [to my chagrin, as it often makes the Chrome Web Store review process more difficult] ) which I would imagine makes it a more appealing target
- "expected $800/mo" for an affiliate ID injector
- "up to $50 per 1000 daily actives" for search engine override
The purchase requests largely take the form of "if you're interested in selling, please respond" and I don't really feel like opening that dialogue, so can't answer that part.
Injecting your id into unrelated pages gets you affiliate rewards sooner.
1. Allow app (or extension) developer to push new updates to the users without the consent of the users.
2. Not allow the app (or extension) developer to push malicious/dangerous updates.
I would prefer a system where all extensions that are installable by default without jumping through hoops are hand-reviewed by the same people who package my browser for me.
I generally oppose automatic updates and granting app/extension developers the ability to push code to my computer without my consent. I support a walled garden controlled by benevolent package maintainers.
This is where I think the traditional Linux package maintainer shines, protecting the user from malicious software. If a package-maintainer (generally independent from the developer) packages software for a Linux distro, the package-maintainer can drop harmful updates. If instead we give the developers free-reign to push updates without user consent, the developers can and will sell out to the highest bidder.
1. Only distribute Free/Open Source software.
2. Only distribute software that somebody is there to package.
3. Allow the users to install other software and shoot themselves in the feet if they so desire.
Every operation by package manager is a result of explicit user action.
In 2021, "absolutely no auto-anything" seems to guarantee your host will fall out of compliance and fall prey to hackers. How do you respond?
Of course, only security update being enabled isn't such a bad thing, but in my experience and and all updates can break things sooner or later.
Sounds good in theory but that hasn't been battle tested in a mass product used by non-tech savvy people like Chrome extensions that are heavily targeted. On the other hand there have been breaches even in the packaging landscape.
Has this happened? Which distro?
With this you could implement something where once changes are detected, users have to manually opt-in. Users who care about such things could look at the changes and see that sketchy changes have been made.
e.g. facebool.com or similar, presumably there's an interesting distribution of similar misspellings.
It seems like they should be more carefully sandboxed in some way.
Are there any proposals for fixing this?
For instance, see the new "Declarative Net Request" API, which allows you to specify certain transformations on requests in JSON, like blocking them if they match a regex, without knowing what the request is: https://blog.chromium.org/2019/06/web-request-and-declarativ...
In theory, this allows you to implement things like ad blockers without having high levels of access to the user's browsing behavior. In practice, it's very hard to make these APIs complete enough.
NXD – Non Existent Domain - the domain that a user entered that resulted in a DNS error.
What's the catch here? Are they making the extension query invalid names like userspersonallyidentifiableinformation.com to exfiltrate data from NXDOMAINs?
- Trying to figure out commonly-mistyped domain names in order to buy them for ad placement.
- Trying to obtain confidential information that's accidentally pasted into the address bar.
- Trying to obtain internal domain names that someone tries to access while disconnected from a VPN or just physically outside the office.
- Legitimate research into how users mistype domain names, maybe to figure out how to think of names that are less likely to be mistyped.
I don't know offhand if modern browsers also do DNS lookups as the user is typing characters into the address bar, or just do Google/Bing/whatever queries as the user is typing. I know they do the latter (i.e. typing 'news.ycombinator.com' into the address bar will send queries for 'n', 'ne', 'new', 'news', and so on to the search engine), but I don't know if they're also still doing DNS lookups at each step as well. If they are, and the extension could capture all of those, then that could be an interesting way to collect users' search queries.
I don't think I'd have been as kind.
Personally, I feel like that'd be a clear drawback to naming and shaming, even if I also support disclosure in general.
The most obvious things Google can do are to either limit the power of extensions and deprecate abusable APIs or to be much more stringent about human review of extensions, both of which they're doing and are justifiably unpopular.
In theory they could come up with some sort of "Any cooperation with third parties who pay you to add stuff to your extension gets your extension banned" rule, but it seems hard to write that rule in a way that distinguishes it from legitimate commercial activity.
> "Any cooperation with third parties who pay you to add stuff to your extension gets your extension banned" rule, but it seems hard to write that rule in a way that distinguishes it from legitimate commercial activity.
Requiring disclosure would make sense and not be a problem for "legitimate commercial activity", but also not sure how it would be enforced. I'm certainly no expert.
Same thing would work very well on Android. Got a shady app that can't access the internet? Who cares. Of course, Google trembles at the idea of being able to run apps without a constant connection to an advertising network.
Obviously some extensions have good reason to use the network, and there's no easy solution there. Some extensions change a color them on a page and that's it, I wish those could be denied internet access.
I don't know about that. They seem to have too much stringent non-human review, which is what I usually see complaints about.
I don't know what ad revenue CPMs are like, but surely any Chrome extension that gathers all web traffic (metadata, content and potentially credit card details) of 100,000 users is surely worth at least $0.1/user per month?
Especially if the users are predominantly from wealthy countries?
Are you laughing because you consider that figure on the low side or the high side?
As a dev of an extension with 10k users I get 3-4 emails a month in my spam which ask me to monetize my extension by secretly changing its users' search engines. My extension is open-source and quite small, but if the change was sneaked in I think most of the users would not notice. I stick to using userscripts for the most part since you can easily check their downloaded source and disable updates.
Beth Anderson <firstname.lastname@example.org> Mon 10:58 AM To: Mostly Spam <email@example.com>
I am Beth and I am offering monetization for browser extensions, with everything that is going on our team was extremely focused and productive in creating a way to earn revenue on extensions.
We offer to change default search to Bing or Yahoo on your extension which can earn up to $800 a month per 5000 users. This is a premium product by invitation only and can easily be added to your chrome extensions.
You are might curious to know if it is allowed? And I must say that this is completely allowed! Please reply to this email to discuss this further!
Looking forward hearing from you!
Business Development Manager
If you want to refer to what you posted someplace else that's great, but a link is the tool for that job. In rare cases you could always ask us at firstname.lastname@example.org to move your comment to a different place, if it's much more relevant there.