Hacker News new | comments | show | ask | jobs | submit login
The "Window Resizer" extension for Chrome now contains malware (2013) (productforums.google.com)
230 points by iamartnez 1348 days ago | hide | past | web | 116 comments | favorite




One thing I wish I had called out more clearly in my post ("See it in action") was the fact that the "feature" would re-enable itself after every update of the extension, which seemed to be quite frequently.

It's a shame; it really was a feature-packed, helpful extension.


No it doesn't re-enable after any update. It only re-enables if you uninstall the extension and install it back, because settings are lost and it switches to the default. Please check your facts before making such claims, ok? Anyone with minimal JavaScript skills can look at the source code and see exactly what's happening!

Thanks!


Whether or not it was your intention or the design of your extension, that was the behavior I observed - hence my factual claim.

I've looked deeply into your extension and you did a very nice, impressive job. I don't believe anyone is discounting the quality of your work here. The pattern you exhibited by enabling the ecolinks feature by default (right or wrong) simply highlighted, for many, the risks inherent in granting browser extensions such great permissions to the browser.


What is more interesting is the reaction from the developer himself. He seems to be completely unimpressed by the criticism. Noting that one permits Chrome extensions to do stuff, and they would have seen this permission the extension required when they updated or installed it.

Furthermore, he is quoted as joking about how he could have sold the extension to someone to get your passwords and whatnot (but ensures us that he hasn't done so).


That is interesting.

It could be criticism of the existing system. Or he could have other goals/intentions.


He asks specifically if he has broken some rules in Google Chrome's terms of service, where another user replies with quotations from the ToS. He barks at that saying his extension is allowed to do what he does, because his extension does reveal exactly what it does, if you read its permissions carefully.

Although, I cannot confirm whether that is true, but that's what he is saying.

I have no idea what he is up to; but aren't extensions supposed to be reviewed if they in the extension catalogue?


He does indicate the user gives the OK to 'access all data on all websites' - like most extensions do, come to think of it. I do think things like that should be more fine-grained, and/or that developers have to indicate /why/ they need that access.


I really, really have a problems with this permission:

- For a very few extensions, I allow it, but it is very clear that it is an open gateway for hackers,

- Most often, I deeply regret I can't even tell Chrome that I allow the extension on a subset of sites... At least not my gmail please...

- So the base rule is, never install something which requires all perms, obviously.

Users have been warned properly. They're at the mercy of untrustable people.


Problem is, almost no user will ever actually READ any message. They'll just click "OK".


They seem to have an automated review process unless the extension is flagged for manual review. Source - https://developers.google.com/chrome/web-store/faq#faq-gen-0....


In my experience, the review is only for the first upload. Updates don't seem to be reviewed?


Yeah, seems like they should maybe institute some type of manual review for any type of "global" permissions. It would impede the well-behaving apps that legitimately need global permissions, but it might be worth it.


... or incentive them not to request universe permissions.


Since Chrome auto-updates extensions, users are likely not aware of this change.

I've been using the extension for several months until I noticed the transparent redirection. In fact, the only reason I noticed the redirect is when it failed. I clicked on a Google search result and got stuck on a blank page like this:

    http://ecolink3.ecosia.org/?key=3cdcd4dc082e3c7b860abe4608b6925d&out=http%3A%2F%2Fwww.usatoday.com%2Fstory%2Fpopcandy%2F2013%2F01%2F15%2Ffred-armisen-ira-glass-this-american-life%2F1836079%2F&cuid=2


It's kind of creepy how close that domain name is to my own domain (and username here). Definitely elicited a double take when I saw it.


Google made a big mistake by not including a GUI option to manageme auto-updates. I write an extension that interacts with data on a financial website, and this policy of forcing automatic updates on all extensions is dangerous. It means I can not guarantee my users my extension is 100% safe, even if they audit its javascript files, because if I were a bad guy, I would still have the power to update the code in the dead of night. It's not very attractive to tell users they can only protect themselves if they both understand javascript, and also dig through files to manually disable auto-updates.


> Since Chrome auto-updates extensions

How do you disable this?


Not sure if you can or not, but you can use this: https://chrome.google.com/webstore/detail/extensions-update-...

Which pops up a toast notification whenever an extension gets updated so you can investigate (Chrome doesn't force changelogs on updates either so you might have to dig deeper into the code).

If you don't mind having another extension which could be doing nefarious things.


Thanks, it's better than nothing at least.

[Rant: the whole concept of auto-update-by-default is stupid. /Rant]


If there was something like »Updates for your extensions are available, install them now?« would it really help or would most users just say »yes«? They'd have no way of verifying that the update is benign or not anyway.


It should be more like "Updates for your extensions are available; they will be installed when Chrome is restarted. [OK] [Cancel automatic updates]".

Or basically anything that gives you the option to avoid doing so.


I've never been a fan of automatic updates for this reason. Changing things silently, while seemingly praised by some "usability experts", implies taking away user choice and replacing it with submissiveness. It's creepy.


Same thing happened to me. Wouldn't have noticed if the redirect hadn't failed a couple of times.


Whoa, wait. One guy in this thread is claiming that Window Resizer was sending all your keystrokes back to a central server based on what he saw in Wireshark. Can anyone else verify this? I've had this extension installed for...a year, at least. Do I need to now go change every single password on every site because chances are it's been keylogged? This is insane.


The developer also seems to claim that the keylogger exists as well. If you want to take his word for it as well.


I just can't even fathom. Like, every email I've typed. Every interaction with any site. Credit card numbers.

How is this not entirely illegal?

And it certainly shows an incredible flaw in Chrome extensions. This extension didn't do this when I installed it. A silent auto-update though basically turned it into the worst malware I've ever had installed on my computer. How can any Chrome extension ever be trusted?

Furthermore, I spend a lot of time in Chrome Dev Tools, and the Network tab and I are no stranger. I would easily have noticed if my keystrokes were being sent back to a server and it was shown in there. So not only can an extension be silently updated, but it's capable of using a network connection that doesn't appear in the Chrome Network tab, that only Wireshark can reveal? That seems almost as ridiculous as what the extension author did.


A chrome extension can make network connections that you won't (normally) see in Dev Tools using a background page. You'll see the connections if you inspect the background page directly but most users won't.

Unfortunately this is simply a byproduct of the web's (and browsers') botched security model; there is no way to allow extensions to modify pages without them being able to read the pages, and if they can read the pages they naturally can catch events, including keystrokes.

This is why you should think - hard - whenever allowing any extension with that permission. It could autoupdate at any time to include malware.

There are a lot of bad extensions out there. I've encountered quite a few. It's a wide-open vector for exploitation and it happens all the time. Just last month I came across a game extension (super mario clone) that contained jQuery. Upon further inspection, it turned out it had been re-minified (making diffs difficult) and had a few lines deep inside that hijacked ads and replaced them with the author's ad network. Silent, effective, and this extension was on the 'top lists' for months. It might even still be there.

Be very aware of the permissions an extension asks for.


Pop fiddler on your machines and look for yourselves.


> How is this not entirely illegal?

Depending on where you live, this might very well be illegal. Unauthorized access and recording of private information of an IT-System is covered in some hacking parapgraphs, in the US and the EU (in the EU maybe as part of the cyber attack tools, as the keylogger would have recorded passwords).


That, my friend, sounds exactly as ridiculous as you are! If you know your JavaScript you can look at the source code and see that the extension is doing none of that. If not, you can try wireshark for yourself and see that there is no keystroke sent anywhere. The guy that made the claim is a complete A-hole that wanted to see the extension being remove from the webstore at any cost, including committing perjury.


What are Chrome extensions written in? I don't use Chrome but if it's JS then it wouldn't be difficult to verify these claims.


It isn't. You can just download the crx, unzip it and go to town. You can acquire the crx by downloading it from https://clients2.google.com/service/update2/crx?response=red... (replace the EXTENSIONIDHERE)


They're in JavaScript.


Where did you see that from the author?


Technically, he is quoted by another poster further up in the discussion. But the developer does not deny this quote.


Holly crap? Do you honestly think I can monitor the whole internet so I can deny every affirmation made by some random dude?

Look! I deny it now, ok?! I haven't done anything like that. I just mentioned somewhere that it is technically possible to do such thing in an attempt to increase users' awareness about what would truly be a "horrible thing", unlike my attempt to support further development of my extension through advertising.


That's why I asked. I saw a few accusations of it, but in all the referenced threads, could not locate you mentioning the accusation at all. I've not used the extension in a while, otherwise I would have dug into the JS itself to answer the question.


Where do I claim that?!! WTF?!


I wrote an extension (HTTP Switchboard) which can log and filter behind-the-scene requests, which also comprise net requests made by extensions. I suppose this could be used to validate that an extension connects to a remote server. In any case, it can be set to selectively block/allow net traffic of extensions.

Even without this extension, it is possible to open the dev console of a specific extension and look at the detailed net traffic of a specific extension in the network tab. Somewhat simpler than running wireshark, so more within reach of the average user.


I googled the problem and opted out ecoasia from the extension settings when i noticed my urls getting redirected everytime. but i had no idea that the extensions can 'Access all data on all the websites'. now I notice most of my extensions like web developer, page ruler, web font previewer have this permissions. need further clarification from the chrome team as to what this exactly is. passwords? credit card numbers? can also be accessed by the extensions?


Pretty much, yeah. The 'access all data on all websites' permission basically gives the extension access to injecting Javascript in all of your pages, which gives the extension full access to the DOM, and thus access to password and credit card fields.


This comment from Paul Irish suggests that there was no keylogger: https://news.ycombinator.com/item?id=7048862


He's talking about a different extension.


Whoops, you're right.

Do we have any confirmation other than from jollymonsa on the Chrome Forums that there was in fact a keylogger?


The linked discussion is back from mid-December and the extension has been removed from the Chrome Web Store:

https://chrome.google.com/webstore/detail/window-resizer/kke...


This is true, but existing Chrome users aren't notified when an extension is removed from the store. I had no idea of this malware until it surfaced when the redirect failed.


Smooth Gestures (lfkgmnnajiljnolcgolmmgnecgldgeld) has done the same thing for well over a year now. I (and many others) reported the addon to Google, but it still remains.

What does it take to get something like this removed?


In the extension text, they say: "This extension is ad supported, you can disable your support by going to the options and making a one-time donation. We depend on your support, but we understand if you would prefer to withhold it."

This, from what I can tell, plays within the bounds of Chrome's policy on extensions.

(I also spent some time looking at the extension source to verify that the only annoying thing they do is inject ads according to this whitelist: http://goo.gl/3WAej6 Nothing else caught my eye. )


https://developers.google.com/chrome/web-store/program_polic...

Of all the stuff under "Interfering with Third-party Ads and Websites", it only complies with "This behavior is clearly disclosed to the user." IMO obviously.


The extension did more than just add ads. A javascript listener for the click event was attach to each link on the result page.

If the user hovered with his mouse over a link, he couldn't tell the link would lead him to http://www.ecosia.org/. But this is exactly what was happening, because the click listener was changing the URL only after the user clicked.

So now the user was redirected to http://www.ecosia.org/ along with a bunch of parameters, including the original query and the original URL, and from there http://www.ecosia.org/ redirected the user to the original URL (after logging whatever it wanted to log), without the user having a way to notice what had just happened (unless looking in the dev console).

The fact that the URL was changed only after the user clicked is quite a hint that deception was intended there.


Paul was talking about a different extension, but anyway...

The onclick event listener is the same thing Google does with the search results. Perform a search on Google and right-click a link, then you'll see the URL changes to the a Google proxy server that collects data about your click for analytics purposes. The reason is so the whole process is more transparent and the users can see the actual URL they end up with when clicking the link. The intention was not to hide anything, but to keep things as unobtrusive as possible. I'm sorry if it felt any other way!


Seems like the quintessential dark pattern is to have a "feature" like this enabled by default. Further, I discovered that the feature would re-enable on a regular cadence - perhaps every time the extension was updated.


Google really REALLY needs to up their game. https://news.ycombinator.com/item?id=7046240

I don't feel safe using their services anymore.


Theory: Google decided to have relaxed rules to play catch up with Apple's App Store.

After hearing from other Android devs and what they were getting away with I decided to stick to Apple for a while.


This is a Chrome extension, not an App.


To be more specific, not an Android app. Chrome has web apps, but that's not the case here.


Story sharing time!

I run a local user group that educates developers on Google's technologies that while proudly independent from Google, has a great working relationship with their developer relations teams.

Back in March of 2012 (that's almost two years ago) I first brought to the attention of the Chrome developer relations team an extension called Bookmark Sentry that essentially contained a trojan that hijacks links to serve up spam ads. You can read more about it here: http://stopmalvertising.com/malvertisements/beware-of-the-go...

What I found troubling was the response back. I received an official response that it was within compliance of Chrome App Store policies. Specifically I was told:

"Ad injections are not in violation of the Chrome Web Store program policies. The policy requires that ads must be presented in the context of the extension or, when present within another page, ads must be outside the page's normal flow and clearly state which extension they are bundled with. We believe that ads are a legitimate way to monetize, but that they should be a known cost to the extension user."

I certainly hope since then they've changed their policy on this issue and are actively policing and enforcing against spyware and malware.

Chrome App extensions can access extremely sensitive data such as webforms with credit card, contact details, passwords and more and in the wrong hands can do untold damage.


I noticed this about a month back. I was browsing the web one Saturday morning and spotted an "Eco link" next to the search results. Most of them were big sites, like Amazon and eBay etc.

I immediately emailed one of our SEO guys with a snippet of the page and said, "we need to know how to do this in Google, it must be a new feature". I stupidly assumed it was a new feature Google had rolled out. When he replied that he can't see it I started googling the problem, most of the results pertained to Malware and I was shocked, I'm a very careful browser in general.

When I started digging around it was only then I started switching off my plugins 1 by 1 and the eco link went when I switched off the browser resizer, I was honestly shocked. I knew the developer wasn't supporting the plugin any more due to funding but I didn't think it would go in that direction, I expected it to just fade away.

No, I didn't read the updates on the product. I don't have time to read updates on products, especially plugins. After reading his comments on there, there is no remorse for his actions. He is nothing more than a simple malware spreader, he should apply for a job at SourceForge.


It just occurred to me: installing malware on an extension targeted towards developers - the kind of people who just might notice hijacked links - seems like the dumbest idea in the world. Leads me to wonder what sort of nastiness is hidden in those other extensions.


Here is a version from before the takedown: http://ge.tt/8PSuzxD1/v/0

(I zipped the '3rd-party' directory and removed references to those scripts in the manifest file. So it's there if you wanna inspect it, but ecolinks won't run. I don't have time to restructure the options page though :-)


I'm assuming you are the developer?

Now I see these pages I can see you were quite transparent about the eco links update. I still didn't see it though.

It's a shame it went in this direction as I used it all the time.


I would argue that if you installed any extension that requested full access to your data without understanding the implications, you're not as careful a browser as you believe you are.

This isn't to say what the developer did is in any way ok ( I don't think it is), nor is it my intent to insult you. Rather - it's to highlight a deeper problem with this kind of click-through security model that chrome web store, play store, et al are fostering.

If somebody who has a reasonable understanding of computers and works with them for a living still clicks though this kind of agreement, what hope has the other 99% of the connected-device-using population?


I guess you're right in a respect. I think I trusted this to be right though, I never imagined that you could change something so dramatically to the point where it isn't even the same product any more.

With Chrome having such a good level of sandbox and Google being proud of that I didn't think it would be so easy for someone to release an extension that basically acted as malware.

I do in general have really good browsing habits, I just need to re-evaluate who I trust.


I ran into this. I only found out because ecolink went down for a while. So when I clicked on google search results, it would error out while trying to redirect.

Valuable lesson learned. I never thought a chrome developer would be quite so stupid to pull something like this. Now I'll keep my eye on every extension.

And yes, you should never install Window Resizer, or anything else Ionut Botizan (the developer) releases again.


This is completely egregious. Deleting now.

I love that the developer's defense is that he could have sold our passwords to someone but (supposedly) didn't. That really instills confidence in his morals, doesn't it?


It's almost akin to "I stabbed you in the leg, but see, I could've stabbed you in the heart!".

Would avoid this developer 100% from now on, Chrome or otherwise.


My claim was not that I could have sold your passwords, it was that I could have sold the extension! Last time I checked, the extension itself was my property and I could sell it to whoever I want. What the buyer does with it shouldn't be any of my concerns. I was just pointing out that, if I would have sold it, the buyer might have been the kind of person that would do those terrible things.

Read more carefully next time, ok?!


When developing my first Chrome Extension, it didn't take me long until i got the thought of "keylogging might be possible".

So i tried it, and sure - i was even able to replace password logins in the DOM with fake ones.

Firefox extensions does the same thing really, so now i only use a few "safe" extensions.

I'm surprised that this hasen't gotten more attention.


At least Firefox extensions on Mozilla's add-ons site gets more thoroughly reviewed on every update. The add-ons installed from outside of the add-ons site can be very dangerous, but Mozilla tries to block these too: List of blocked add-ons with reasons: https://addons.mozilla.org/en-US/firefox/blocked/


Now I have to wonder... What permissions do Firefox extensions have? How do I check or verify these things?


Firefox extensions have the same permissions as browser itself.


I'm pretty judicious when trying extensions... but really only use a handful of them.


Is it correct to class this as malware? I get that the portmanteau is "malicious software" and hijacking your Google search results isn't the friendliest thing to do but I think this is closer to "adware" than "malware".

Although the author seems like a bit of a di- ...fficult person, maybe we should coin the term "dickware" to cover this sort of software.

EDIT: I missed the keylogging bit, thanks to everybody that pointed it out. Adware + Spyware = Malware.


It's inserting fake search results and running a keystroke monitor. To me this isn't even a close call; of course it's malware. I would also say that any developer who would do this simply can't be trusted; if he will do this, he might do just about anything else. He doesn't seem to have any regard for others.


It is not inserting fake search results nor is it logging any of your keys! Look a the source code at http://ionut-botizan.net/window-resizer

It is just proxying clicks on real results through Ecosia's servers instead of Google's.


a hell of a lot of chrome extensions inject adverts and other tracking code into websites you visit, like Facebook and youtube. would you class those extensions as malware as well?


I would. Why wouldn't you?


I would, but that then means that the chrome web store is riddled with malware which isn't a nice thought and doesn't bode well for its future as something that is supposed to be more secure than traditional native platforms.


Considering that Google search result ads are riddled with malware* and Google AdSense ads are riddled with malware and that Google Play has numerous ongoing issues with Android malware, I don't think it's really surprising that the Google Chrome Extensions store is also riddled with malware.

* Which my mother confirmed JUST THIS WEEKEND by searching Google for Firefox and Spider Solitaire clicking one of the Google ads up top for each to get the download and... 2 hours of cleaning later and removing 18 different malware apps. Then just deciding it was faster to restore it to a factory image.

* * Which I'm trying to block one by one using the pitiful tools that Google makes available to block individual adsense advertisers.


Something that was supposed to be secure is not. So you stop calling malware, malware?

Move on.


I was agreeing with him, perhaps I should have phrased it better.


He said it was capturing keystrokes... so most definitely malware. In fact, is this not "Spyware" ??


It also keylogs your key strokes in the browser. Sounds a bit like malware to me.


The term malware came about as an umbrella to cover viruses, trojans, worms, spyware, and adware. It made it much easier to explain to users what was going on, while still using words that make sense.


Hover Zoom had a similar problem recently, but still exists on the Chrome store. Up until a certain version, their data collection did nothing much (perhaps save non-existing domain hits).

Then they partnered with someone and started sending certain form data (!!) to a third party -- claiming they wanted to collect anonymous demographic information. It didn't help that the script injection on all pages (which I discovered when debugging with the web tools) used some shady domains with no web presence.

They claim they did not send e.g. any password data -- but they perfectly could have. I tried reporting the extension on the store as did many others, but that had no effect. The developer seems to have reverted that bit of the code -- for now.


Looks like it's time to find a replacement for Hover Zoom.


Someone should (and I just might) write an extension that updates a list of evil extensions and authors and warns the user when they have a bad extension or try to install a new extension on that list. Powered by a blocklist type of listing and community moderated.


Really what this boils down to, imho, is a need to educate users on the meaning of the permissions that are granted (with approval) to these extensions. Certainly the vast majority of users confirm the security permissions without comprehending the weight of access they've just provided the extension author.

With JavaScript, it's nearly impossible for Chrome to reasonably explain, with any level of granularity, what exactly an extension will do with its access - hence the "access your data on all websites" warning.

A proof of concept to demonstrate how you can take advantage of this access for nefarious reasons, even after getting approval into the Chrome Web Store, would be quite simple.

Long/short of it is: make sure you trust the author of any extension you install!


Wow, I had noticed the clickjacking of my Google result links (to ecolink) but had no idea who/what was doing it. Very glad this mystery is finally solved! Thanks for posting this.


What a dickhead.


Classic!

"There is no such thing as bad publicity" by Ionut Botizan

(Source: http://productforums.google.com/d/msg/chrome/mlAD1ygc0v0/1MP...)


Same with Read later fast: It rewrites all your URLs:

https://chrome.google.com/webstore/detail/read-later-fast/de...


I'm most concerned about the keylogging claims. Does anyone have a copy of the CRX so that we can determine if keystrokes were in fact being transmitted?


Holly crap, this really got out of hand!

NO! It wasn't logging anything! The only thing it was doing was proxying clicks on search results through Ecosia's analytics servers instead of Google's.

Anyone who still has the extension installed can view the source code by looking in their /%USER_FOLDER%/<PATH_TO_CHROME>/Extensions/kkelicaakdanhinjdeammmilcgefonfh The extension is also available at http://ionut-botizan.net/window-resizer/ both as a .zip and .crx file.


Seems as though he's aware of such a thing.

"No, that's bundled adware. If I wanted to give you malware, I would have added a keylogger which you wouldn't have ever discovered (ask around; it's technically possible). So stop whining already, uninstall the extension and move on with your life!" http://productforums.google.com/d/msg/chrome/mlAD1ygc0v0/FL6...

(Also, he's now posting on the linked thread. 7 minutes ago last reply.)


> I would have added a keylogger

seems to imply that he was not logging keystrokes, which conflicts directly with the first post in that thread:

> they are tracking all data and keystrokes. checked with wireshark.

It'd be nice to have a copy so that we can find out for ourselves.


It is passing the search string I submit via google to ecosia which I elaborated on a few posts after the initial one. It is logging all search traffic keywords and then serving related ads in a backdoor manner. It is not sitting on my desktop logging or anything like that. But it is breaching my privacy expecations with Google by logging my user submitted keystrokes and sending them to Ecosia for sure. What are they doing with that info?


I agree that logging search queries has severe privacy implications, but "tracking all data and keystrokes" is unnecessarily alarming. If this extension were tracking all data and keystrokes available to Chrome, the end user might spend the next week tracking down and securing online accounts, cancelling credit cards, informing clients of potential breaches of confidentiality, etc.


I looked at the source and it did not capture keystrokes for this purpose. His comments also indicate he did not add this behavior to the extension.


Unfortunately, the developer was such a douche about everything, I would find it difficult to trust him just based upon his behavior alone. Would I want my data in his hands? NOPE.


It looks like the developer still has a copy hosted on his own site:

http://ionut-botizan.net/window-resizer/


Here’s how you disable “EcoLinks” if you have this extension installed and enabled:

chrome-extension://kkelicaakdanhinjdeammmilcgefonfh/ecosia.html

Uncheck “Enable EcoLinks”.


Yeah, and then it re-enables itself hours later, according to countless commenters.


Ive been having those bad URLs for a couple weeks now and thought Google was really off their game since many times the pages came up dead. Wow.


Note to the developer: Next time you make a malware, also use it to remove all bad references to your extension from HN and newspapers...


I saw the ecosia redirects popping up in some instances but couldn't figure out where they were coming from.

The extension is now uninstalled.


Shame, because it's a good resizer. I happened to uninstall it back in November, but my co-worker is still (was) using it.


Monday started with a massive WTF ;)


Do we know where he was sending the keystrokes?

Was it logging all keystrokes in Chrome ever?


The extension hasn't existed on the chrome app store for months. Why is this news on HN now? It wasnt malware either, it was ecolinks garbage for google search results that you could opt-out of.


I'm glad it hit the home page. Had this on one of my machines as of December (booted it up a few minutes ago and it was no longer installed). Luckily my usage of the machine was limited, but ... now I've got to change passwords for the few sites I did visit.

Does anyone know if the Chrome Remote Desktop extension would have been impacted by the keylogging?


It is adware, not malware!

The original post on productforums.google.com is complete BS and the extension was NOT suspended because of that, but because it failed to make it clear, in the context of the ads, which extension enabled the EcoLinks. This is not the first, nor last, piece of software that uses ads in order to support its development.

Also, the extension never logged anything from the users. All the "keylogger" stuff is just rumors started by people who are either incapable of reading a sentence from start to end or are knowingly lying about it.

It didn't alter the search results either. Those were exactly what Google returned for your search, nothing more, nothing less.

There was no malicious intent whatsoever. The whole purpose was to support further development of the extension through some form of advertising which you could disable at any point. The disable option was not even hidden among the other options; it had a dedicated page with a link in the main menu that only consisted of a checkbox - it was that simple and obvious.

Another false rumor is that the setting would enable itself automatically. No, it didn't! The only way that it would re-enable itself was to remove the extension and then install it right back. On uninstall all settings are lost and it fallbacks to the defaults.

The source code is plain HTML & JavaScript and it has always been available for anyone to review. Anyone could download the .CRX file and unzip it (it's just a special ZIP file) or take a look in the /%USER_FOLDER%/<PATH_TO_CHROME>/Extensions/kkelicaakdanhinjdeammmilcgefonfh folder (this varies based on your operating system) where the installed extension is. The source code has also been available at http://ionut-botizan.net

If you don't know JavaScript, you don't have to take my word for it; there is this prominent person in the web industry that, although he does not endorse this extension, has reviewed the code and confirmed there was no keylogger there: https://news.ycombinator.com/item?id=7048156#up_7056031

Another false accusation is that I bragged about how "I could sell your personal data and it wouldn't matter to me".

What I actually said is that "I could sell MY EXTENSION (as in transfer all rights and ownership to someone else) and it shouldn't matter to me (from a legal standpoint) what the buyer would do with it, be it collecting your private data or whatever". That claim was made just to point out that in fact I do care about the users' privacy and I chose not to sell the extension, even though I received plenty of offers. Some people asked "how could I even think of that"? Well, the extension is my property and receiving all those offers put me in the position where I had to think about it, whether I liked it or not.

In conclusion, yes, I admit the opt-out pattern is not the friendliest one and the whole thing could have been handled in some other way, but the reality is far from all these claims that I sneakily added malware to the extension, logged your keys and private data and sell all that to third parties or whatever.

The reality is I took your Google search results and converted them to sponsored links, plain and simple. All data that was transmitted when you clicked a search result was about the same that is sent whenever you click on any other ad or banner, which can not, in any circumstances, be used to identify you personally.

I am the developer and this is my answer; no excuses, just stating the facts. Learn what you want from it.


> All the "keylogger" stuff is just rumors started by people who are either incapable of reading a sentence from start to end or are knowingly lying about it

I went ahead and looked at the code after downloading the zipped extension you linked too, and I effectively cannot see anything re. key logger. Where was that first reported? I would like to ask the original reporter on what piece of code he based his conclusion that there was a key logger in there.

Edit: Never mind, I see this apparently comes from original poster on google groups, so I asked him exactly how he came to this conclusion.


Ok, that guy just explained what he meant by keylogging. Leaving aside the fact that he's wrong about how it all works (the results are provided by Google; nothing about the search was changed by the extension) and he never ever looked at the source code and what it is doing (probably because he's too dumb to understand any of it), what he means by keylogging is adding the search terms to the URL query string when clicking on a link. (Ex: www.ecosia.org/url?url=http%3A%2F%2Fmicrosoftstore.com&v=microsoft store <- this italic text right here is the result of the keylogger in his opinion)

https://productforums.google.com/forum/#!msg/chrome/mlAD1ygc...

So, this is what caused all this shit storm...


Haha that's so funny. The developer has involved in the discussion and he is seriously defending himself. What is wrong with him lol.




Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: