Thanks for posting this. I've actually submitted the link myself a few months ago but HN ranking algorithm didn't pick it up back then: https://news.ycombinator.com/item?id=25907905
Anecdata: I develop an open source Chrome extension that's fairly niche but has about 80k active users, and I still get emails like this a couple of times a year. They tend largely to be offers for outright buying the extension (and thus install base, presumably to augment with ad- or malware); it's interesting to see how these kinds of offers to a more generally popular extension differ a bit (seemingly more asks to collect & sell user data rather than just taking over ownership)
Another thing I'd note for context is that Hover Zoom probably has a pretty broad hosts permission in order to allow it to operate on many types of sites (my extension, which is a web analytics DevTools extension, also needs an all hosts permission [to my chagrin, as it often makes the Chrome Web Store review process more difficult] ) which I would imagine makes it a more appealing target
- "up to $50 per 1000 daily actives" for search engine override
The purchase requests largely take the form of "if you're interested in selling, please respond" and I don't really feel like opening that dialogue, so can't answer that part.
Affiliate marketing pays out a fee to an affiliate (i.e. referral source) when a user makes a purchase, normally to the last-touch source using a unique affiliate id (e.g. Wirecutter constructs an Amazon link that contains their ID, so they get some money back when you buy one of their recommended products). With certain extension permissions, malicious actors can replace these instances of IDs with their own, or cause all Amazon links to contain their affiliate ID, etc, thus falsely claiming that payout for themselves.
Amazon pays affiliates money each time they refer you to purchase something on Amazon. They check the referral by giving you an affiliate id, which you can add as a query param to urls on your pages.
Injecting your id into unrelated pages gets you affiliate rewards sooner.
I imagine it injects affiliate links - ie if you search for something on Amazon, the affiliate payment would be attributed to the extension's owner. This would include overwriting existing affiliate links too.
It seems there is a major conflict between the following two goals:
1. Allow app (or extension) developer to push new updates to the users without the consent of the users.
2. Not allow the app (or extension) developer to push malicious/dangerous updates.
I would prefer a system where all extensions that are installable by default without jumping through hoops are hand-reviewed by the same people who package my browser for me.
I generally oppose automatic updates and granting app/extension developers the ability to push code to my computer without my consent. I support a walled garden controlled by benevolent package maintainers.
This is where I think the traditional Linux package maintainer shines, protecting the user from malicious software. If a package-maintainer (generally independent from the developer) packages software for a Linux distro, the package-maintainer can drop harmful updates. If instead we give the developers free-reign to push updates without user consent, the developers can and will sell out to the highest bidder.
Seems valid to want someone to vet your software, especially if it’s capable of self-upgrade. But I also think that’s an expensive process, and one that Google probably doesn’t want to pay for. People seem very up-in-arms about App Store fees but then complain when unmanaged stores produce mounds of garbage and/or malicious software.
By default, many distros already install urgent security patches automatically. I'm pretty sure Debian does it for me, but I cannot remember all of the details.
In 2021, "absolutely no auto-anything" seems to guarantee your host will fall out of compliance and fall prey to hackers. How do you respond?
To me it seems like there is a different trend happening - Ubuntu now has snaps which auto update and you no longer can get some software without them, whereas even Debian comes with unattended upgrades enabled in some cloud vendors.
Of course, only security update being enabled isn't such a bad thing, but in my experience and and all updates can break things sooner or later.
>This is where I think the traditional Linux package maintainer shines, protecting the user from malicious software. If a package-maintainer (generally independent from the developer) packages software for a Linux distro, the package-maintainer can drop harmful updates. If instead we give the developers free-reign to push updates without user consent, the developers can and will sell out to the highest bidder
Sounds good in theory but that hasn't been battle tested in a mass product used by non-tech savvy people like Chrome extensions that are heavily targeted. On the other hand there have been breaches even in the packaging landscape.
To expand on this, the opposite has been true. IIUC Firefox telemetry is enabled for all binary downloads from Mozilla website by default, but every distdo package manager worth its salt has it disabled. So the system is actually working as intended.
Note that browser extensions are reviewed by humans, as are updates to them. You also need to pay a nominal fee ($5 by credit card) to submit an extension to the Chrome store, to avoid spammers.
Chrome extensions are generally not subject to human review. I maintained one with 50k+ weekly actives for about 3 years and I think out of probably ~500+ updates I had at most 10 go through human review, and most of those were due to a fraudulent DMCA claim (they started doing manual reviews afterward for a bit, then stopped again)
At the very least Google should detect "significant" changes in ownership and or the underlying account for extensions that have "important" permissions.
With this you could implement something where once changes are detected, users have to manually opt-in. Users who care about such things could look at the changes and see that sketchy changes have been made.
Most of the work that the Chrome folks have been doing on web extensions recently has specifically been to make finer-grained APIs to do the sorts of things extensions do without giving them full access to edit pages etc.
For instance, see the new "Declarative Net Request" API, which allows you to specify certain transformations on requests in JSON, like blocking them if they match a regex, without knowing what the request is: https://blog.chromium.org/2019/06/web-request-and-declarativ...
In theory, this allows you to implement things like ad blockers without having high levels of access to the user's browsing behavior. In practice, it's very hard to make these APIs complete enough.
All new extensions are manually vetted now, and there is manifest v3, but there has been a lot of concern about the effect of this on adblockers so progress has been slow.
"The data we’re interested in are basically just DNS errors:
NXD – Non Existent Domain - the domain that a user entered that resulted in a DNS error.
[...]"
What's the catch here? Are they making the extension query invalid names like userspersonallyidentifiableinformation.com to exfiltrate data from NXDOMAINs?
- Trying to figure out commonly-mistyped domain names in order to buy them for ad placement.
- Trying to obtain confidential information that's accidentally pasted into the address bar.
- Trying to obtain internal domain names that someone tries to access while disconnected from a VPN or just physically outside the office.
- (If the extension could catch all non-existent domain errors, not just ones from typing in the address bar) attempting to find abandoned domains that are still referenced by JavaScript and whatnot in order to buy them. This could potentially be used to inject content (probably ads) into the systems that still reference those domains.
- Legitimate research into how users mistype domain names, maybe to figure out how to think of names that are less likely to be mistyped.
I don't know offhand if modern browsers also do DNS lookups as the user is typing characters into the address bar, or just do Google/Bing/whatever queries as the user is typing. I know they do the latter (i.e. typing 'news.ycombinator.com' into the address bar will send queries for 'n', 'ne', 'new', 'news', and so on to the search engine), but I don't know if they're also still doing DNS lookups at each step as well. If they are, and the extension could capture all of those, then that could be an interesting way to collect users' search queries.
Maybe they just want to buy these domains.
I imagine that available domains people query a lot can be resold for a lot of money.
Or they are into typosquatting.
Maybe to stop giving them publicity? Or maybe some of those people are not representing the actual company or it's work so people might mistake legit companies as bad.
The publicity from trying to bribe extension developers would not benefit the companies doing this.I f the people doing this aren't representing the companies you'd think they would want to know so they can stop it. Either way, they should be named and shamed.
Yep, this would also be useful for devs who only care about money, so that they can reach out to the more promising companies of these and see whether they can monetize their extensions as well.
Personally, I feel like that'd be a clear drawback to naming and shaming, even if I also support disclosure in general.
The most obvious things Google can do are to either limit the power of extensions and deprecate abusable APIs or to be much more stringent about human review of extensions, both of which they're doing and are justifiably unpopular.
In theory they could come up with some sort of "Any cooperation with third parties who pay you to add stuff to your extension gets your extension banned" rule, but it seems hard to write that rule in a way that distinguishes it from legitimate commercial activity.
That they are aware of the growing problem and here's what they plan to do about it. I don't know what that would be.
> "Any cooperation with third parties who pay you to add stuff to your extension gets your extension banned" rule, but it seems hard to write that rule in a way that distinguishes it from legitimate commercial activity.
Requiring disclosure would make sense and not be a problem for "legitimate commercial activity", but also not sure how it would be enforced. I'm certainly no expert.
You could make it so the ability to access the network is a permission you have to grant to extensions. Got a shady extension that can't access the internet? Who cares.
Same thing would work very well on Android. Got a shady app that can't access the internet? Who cares. Of course, Google trembles at the idea of being able to run apps without a constant connection to an advertising network.
Isn't the point here, though, that the shady people reach out to try and buy control of non-shady extensions? How would you know whether or not your previously non-shady extension is now shady?
If the extension cannot access the network to send data anywhere, what's the worse that could happen in that scenerio?
Obviously some extensions have good reason to use the network, and there's no easy solution there. Some extensions change a color them on a page and that's it, I wish those could be denied internet access.
> The most obvious things Google can do are to either limit the power of extensions and deprecate abusable APIs or to be much more stringent about human review of extensions, both of which they're doing and are justifiably unpopular.
I don't know about that. They seem to have too much stringent non-human review, which is what I usually see complaints about.
True. I guess I meant they could say "We default to not allowing extensions unless a human thinks the extension is a good idea," which will produce a similar outcome to the status quo - non-human review that has a high reject rate plus a frustrating human override process.
I don't know what ad revenue CPMs are like, but surely any Chrome extension that gathers all web traffic (metadata, content and potentially credit card details) of 100,000 users is surely worth at least $0.1/user per month?
Especially if the users are predominantly from wealthy countries?
Are you laughing because you consider that figure on the low side or the high side?
As a dev of an extension with 10k users I get 3-4 emails a month in my spam which ask me to monetize my extension by secretly changing its users' search engines. My extension is open-source and quite small, but if the change was sneaked in I think most of the users would not notice. I stick to using userscripts for the most part since you can easily check their downloaded source and disable updates.
Example:
Beth Anderson <beth@monetize-extensions.com> Mon 10:58 AM To: Mostly Spam <dev@x-ing.space>
Hello
I am Beth and I am offering monetization for browser extensions, with everything that is going on our team was extremely focused and productive in creating a way to earn revenue on extensions.
We offer to change default search to Bing or Yahoo on your extension which can earn up to $800 a month per 5000 users. This is a premium product by invitation only and can easily be added to your chrome extensions.
You are might curious to know if it is allowed? And I must say that this is completely allowed! Please reply to this email to discuss this further!
There must be something more that they want as well? Seems very strange that Microsoft and Yahoo would be interested in paying big bucks to lure people to their search engines through some dodgy extensions?
Yeah, when I first shared it in a developer discord server I joked that Microsoft was operating a black market Bing-conversion program. Seems too shady even for Microsoft though. I guess they want me to inject ads/trackers into the results, but I don't see how it's easier with these search engines?
If you want to refer to what you posted someplace else that's great, but a link is the tool for that job. In rare cases you could always ask us at hn@ycombinator.com to move your comment to a different place, if it's much more relevant there.
A similar list was also posted by another extension developer a few months ago: https://news.ycombinator.com/item?id=25884338.