[HN Gopher] Many temptations of an open-source Chrome extension ...
___________________________________________________________________
Many temptations of an open-source Chrome extension developer
Author : tech234a
Score : 138 points
Date : 2021-05-29 20:06 UTC (2 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| tech234a wrote:
| I found this list from a recent comment by extesy on another HN
| thread: https://news.ycombinator.com/item?id=27326974.
|
| A similar list was also posted by another extension developer a
| few months ago: https://news.ycombinator.com/item?id=25884338.
| extesy wrote:
| Thanks for posting this. I've actually submitted the link
| myself a few months ago but HN ranking algorithm didn't pick it
| up back then: https://news.ycombinator.com/item?id=25907905
| blendergeek wrote:
| It seems there is a major conflict between the following two
| goals:
|
| 1. Allow app (or extension) developer to push new updates to the
| users without the consent of the users.
|
| 2. Not allow the app (or extension) developer to push
| malicious/dangerous updates.
|
| I would prefer a system where all extensions that are installable
| by default without jumping through hoops are hand-reviewed by the
| same people who package my browser for me.
|
| I generally oppose automatic updates and granting app/extension
| developers the ability to push code to my computer without my
| consent. I support a walled garden controlled by benevolent
| package maintainers.
|
| This is where I think the tradition Linux package maintainer
| shines, protecting the user from malicious software. If a
| package-maintainer (generally independent from the developer)
| packages software for a Linux distro, the package-maintainer can
| drop harmful updates. If instead we give the developers free-
| reign to push updates without user consent, the developers can
| and will sell out to the highest bidder.
| ro_bit wrote:
| "The data we're interested in are basically just DNS errors:
|
| NXD - Non Existent Domain - the domain that a user entered that
| resulted in a DNS error. [...]"
|
| What's the catch here? Are they making the extension query
| invalid names like userspersonallyidentifiableinformation.com to
| exfiltrate data from NXDOMAINs?
| axiosgunnar wrote:
| Perhaps they want to snatch up the domain names people are
| trying out and then sell them to them with a margin?
| uo21tp5hoyg wrote:
| If it's malicious it could be to buy up commonly typo'd domain
| names
| lovasoa wrote:
| Maybe they just want to buy these domains. I imagine that
| available domains people query a lot can be resold for a lot of
| money. Or they are into typosquatting.
| blincoln wrote:
| A few possibilities I can think of:
|
| - Trying to figure out commonly-mistyped domain names in order
| to buy them for ad placement.
|
| - Trying to obtain confidential information that's accidentally
| pasted into the address bar.
|
| - Trying to obtain internal domain names that someone tries to
| access while disconnected from a VPN or just physically outside
| the office.
|
| - (If the extension could catch all non-existent domain errors,
| not just ones from typing in the address bar) attempting to
| find abandoned domains that are still referenced by JavaScript
| and whatnot in order to buy them. This could potentially be
| used to inject content (probably ads) into the systems that
| still reference those domains.
|
| - Legitimate research into how users mistype domain names,
| maybe to figure out how to think of names that are less likely
| to be mistyped.
|
| I don't know offhand if modern browsers also do DNS lookups as
| the user is typing characters into the address bar, or just do
| Google/Bing/whatever queries as the user is typing. I know they
| do the latter (i.e. typing 'news.ycombinator.com' into the
| address bar will send queries for 'n', 'ne', 'new', 'news', and
| so on to the search engine), but I don't know if they're also
| still doing DNS lookups at each step as well. If they are, and
| the extension could capture all of those, then that could be an
| interesting way to collect users' search queries.
| jrochkind1 wrote:
| would love to see some communication from Google on this
| phenomenon...
| geofft wrote:
| What would they say about it?
|
| The most obvious things Google can do are to either limit the
| power of extensions and deprecate abusable APIs or to be much
| more stringent about human review of extensions, both of which
| they're doing and are justifiably unpopular.
|
| In theory they could come up with some sort of "Any cooperation
| with third parties who pay you to add stuff to your extension
| gets your extension banned" rule, but it seems hard to write
| that rule in a way that distinguishes it from legitimate
| commercial activity.
| jrochkind1 wrote:
| That they are aware of the growing problem and here's what
| they plan to do about it. I don't know what that would be.
|
| > "Any cooperation with third parties who pay you to add
| stuff to your extension gets your extension banned" rule, but
| it seems hard to write that rule in a way that distinguishes
| it from legitimate commercial activity.
|
| Requiring _disclosure_ would make sense and not be a problem
| for "legitimate commercial activity", but also not sure how
| it would be enforced. I'm certainly no expert.
| Buttons840 wrote:
| You could make it so the ability to access the network is a
| permission you have to grant to extensions. Got a shady
| extension that can't access the internet? Who cares.
|
| Same thing would work very well on Android. Got a shady app
| that can't access the internet? Who cares. Of course, Google
| trembles at the idea of being able to run apps without a
| constant connection to an advertising network.
| dave5104 wrote:
| Isn't the point here, though, that the shady people reach
| out to try and buy control of non-shady extensions? How
| would you know whether or not your previously non-shady
| extension is now shady?
| TazeTSchnitzel wrote:
| That would be a misleading permission if the extension has
| full DOM access because it could be easily circumvented.
| Dylan16807 wrote:
| > The most obvious things Google can do are to either limit
| the power of extensions and deprecate abusable APIs or to be
| much more stringent about human review of extensions, both of
| which they're doing and are justifiably unpopular.
|
| I don't know about that. They seem to have too much stringent
| _non_ -human review, which is what I usually see complaints
| about.
| darkhorse22 wrote:
| > 100k users ~10 000 $, and so on.
|
| khakhakha...
| bobm_kite9 wrote:
| This really implies that the whole idea of chrome extensions is
| broken: a mix of attempted malware and adware.
|
| It seems like they should be more carefully sandboxed in some
| way.
|
| Are there any proposals for fixing this?
| tomComb wrote:
| All new extensions are manually vetted now, and there is
| manifest v3, but there has been a lot of concern about the
| effect of this on adblockers so progress has been slow.
| geofft wrote:
| Most of the work that the Chrome folks have been doing on web
| extensions recently has specifically been to make finer-grained
| APIs to do the sorts of things extensions do without giving
| them full access to edit pages etc.
|
| For instance, see the new "Declarative Net Request" API, which
| allows you to specify certain transformations on requests in
| JSON, like blocking them if they match a regex, without knowing
| what the request is: https://blog.chromium.org/2019/06/web-
| request-and-declarativ...
|
| In theory, this allows you to implement things like ad blockers
| without having high levels of access to the user's browsing
| behavior. In practice, it's very hard to make these APIs
| complete enough.
| Orochikaku wrote:
| Perhaps someone could help me understand what the attack vector
| of the group suppousedly conducting "DNS error research" is.
| [deleted]
| [deleted]
| 70jS8h5L wrote:
| No idea, but I wonder if squatting on the most popular misspelt
| domains, to serve malware/whatever?
|
| e.g. facebool.com or similar, presumably there's an interesting
| distribution of similar misspellings.
| darren_ wrote:
| Just a guess but maybe they want to detect domains people are
| looking up that don't exist so they can squat them.
| endisneigh wrote:
| At the very least Google should detect "significant" changes in
| ownership and or the underlying account for extensions that have
| "important" permissions.
|
| With this you could implement something where once changes are
| detected, users have to manually opt-in. Users who care about
| such things could look at the changes and see that sketchy
| changes have been made.
| xingyzt wrote:
| Reposting my experience from
| https://news.ycombinator.com/item?id=27326268:
|
| As a dev of an extension with 10k users I get 3-4 emails a month
| in my spam which ask me to monetize my extension by secretly
| changing its users' search engines. My extension is open-source
| and quite small, but if the change was sneaked in I think most of
| the users would not notice. I stick to using userscripts for the
| most part since you can easily check their downloaded source and
| disable updates.
|
| Example:
|
| Beth Anderson <beth@monetize-extensions.com> Mon 10:58 AM To:
| Mostly Spam <dev@x-ing.space>
|
| Hello
|
| I am Beth and I am offering monetization for browser extensions,
| with everything that is going on our team was extremely focused
| and productive in creating a way to earn revenue on extensions.
|
| We offer to change default search to Bing or Yahoo on your
| extension which can earn up to $800 a month per 5000 users. This
| is a premium product by invitation only and can easily be added
| to your chrome extensions.
|
| You are might curious to know if it is allowed? And I must say
| that this is completely allowed! Please reply to this email to
| discuss this further!
|
| Looking forward hearing from you!
|
| Beth Anderson
|
| Business Development Manager
| [deleted]
| birktj wrote:
| There must be something more that they want as well? Seems very
| strange that Microsoft and Yahoo would be interested in paying
| big bucks to lure people to their search engines through some
| dodgy extensions?
| xingyzt wrote:
| Yeah, when I first shared it in a developer discord server I
| joked that Microsoft was operating a black market Bing-
| conversion program. Seems too shady even for Microsoft
| though. I guess they want me to inject ads/trackers into the
| results, but I don't see how it's easier with these search
| engines?
| pestaa wrote:
| I think it is just to illustrate the scope of the change, not
| that their customers are either of those two.
| danenania wrote:
| This is yet another reason why it isn't great, in general, to
| work with sensitive data in web browsers. If you have any
| extensions installed with broad permissions (most of them, let's
| be honest), and you're doing production-level devops work in the
| browser, you are putting your company at risk.
|
| People love to hate on Electron for its resource usage, and I get
| that, but it does give you many of the benefits of a browser
| without the severe security drawbacks.
| FabHK wrote:
| Wow. So many shady offers that you could use them as training
| data for a shady-offer generator.
| 1986 wrote:
| Anecdata: I develop an open source Chrome extension that's fairly
| niche but has about 80k active users, and I still get emails like
| this a couple of times a year. They tend largely to be offers for
| outright buying the extension (and thus install base, presumably
| to augment with ad- or malware); it's interesting to see how
| these kinds of offers to a more generally popular extension
| differ a bit (seemingly more asks to collect & sell user data
| rather than just taking over ownership)
|
| Another thing I'd note for context is that Hover Zoom probably
| has a pretty broad hosts permission in order to allow it to
| operate on many types of sites (my extension, which is a web
| analytics DevTools extension, also needs an all hosts permission
| [to my chagrin, as it often makes the Chrome Web Store review
| process more difficult] ) which I would imagine makes it a more
| appealing target
| uh_uh wrote:
| How much do they offer you if I'm not too blunt?
| 1986 wrote:
| Some samples from the last ~year:
|
| - "expected $800/mo" for an affiliate ID injector
|
| - "up to $50 per 1000 daily actives" for search engine
| override
|
| The purchase requests largely take the form of "if you're
| interested in selling, please respond" and I don't really
| feel like opening that dialogue, so can't answer that part.
___________________________________________________________________
(page generated 2021-05-29 23:00 UTC)