[jkl5xx]

Noticed a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa in the chrome inspector today.

Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.

I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.

At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.

[Animats]

It's OK to inject ads, but not OK to remove them, under Google's current policies.

[Aurornis]

Several of the top Chrome extensions on their charts are ad blockers: https://chromewebstore.google.com/top-charts/popular?hl=en

They have an API basically dedicated to this: https://developer.chrome.com/docs/extensions/reference/api/d...

I think you may have been confused about the Manifest V3 API changes, which were controversial because they didn't support every feature of the old API. The mainstream ad blockers all wrote new versions for Manifest V3.

[teruakohatu]

It is widely known that Manifest V3 reduces extensions ability to perform SoTA ad blocking. It limits heuristic based filtering, under a guise of privacy.

[armadyl]

It was more of a security related change. MV3 overall objectively is far better for browser security than MV2. MV2 was essentially giving extensions a full on free RCE pathway. MV3 is what it should’ve been from the start imo.

[pfg_]

MV3 still allows you to run content scripts, which can inject any javascript into any webpage. From there, you can do anything you want. You can steal passwords, tokens, show popups, redirect, ... etc. Preventing extensions from dynamically modifying network requests doesn't change that.

[Legend2440]

Well no, actually. Both halves of that statement are false.

Injecting ads will get you removed from the extension store if caught, while adblockers are advertised on the front page of the store.

[Animats]

Google's "Manifest 3" rules, vs. ad blocking, in Ars Technica.[1]

Did the JSON formatter with ads get kicked out of the extension store yet?

[1] https://arstechnica.com/gadgets/2024/08/chromes-manifest-v3-...

[SquareWheel]

Manifest 3 explicitly enables ad blocking through the declarativeNetRequest API. It's trivial to do so, and many blockers exist in the Chrome Web Store.

[FergusArgyll]

ublock origin light is featured in the chrome web store.

[eviks]

But it isn't as featureful!

[Legend2440]

Everybody freaked out about Manifest v3, but I'm running Chrome + uBlock and still not seeing any ads. Seems like a nothingburger to me.

[Ygg2]

Water is merely 49C, said the frog. It's not even 100C. I'll stay.

Google really is slow boiling Internet until everyone forgets you can have stuff without ads.

[munificent]

> I feel like browser extension marketplaces are a failed experiment.

People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.

The degree to which they are successful at that and add enough value to overcome the downsides is an open question. But it's clear that in a world where everyone is running hundreds of pieces of software that have auto-update functionality built in and unfettered access to CPU power and the Internet, uncontrolled app stores a honeypot for malicious actors.

[jabwd]

This also ignores that mobile phones are now being used as an effective botnet. Just gotta get some poor devs to include your SDK and off you go.

AI companies make use of these botnets quite a bit as well. Why don't we hear more about it? because it is really really really hard to inspect what is actually happening on your phone. This post actually kinda disproves that the closed rent seeking model is better in any way.

[josephcsible]

> People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.

But browser extension marketplaces aren't a free-for-all; they're exactly like the platform app stores in all the bad ways.

[eviks]

> that have auto-update functionality built in

The vendors are the ones who built it in!

[anonymous908213]

Whatever value they provide is completely and totally irrelevant compared to giving Microsoft, Google, and Apple the unilateral discretion to end any software developer's career, or any software development business, by locking them out of deploying software with no recourse. Nobody has a problem with optional value-add stores, but all three have or are moving towards having complete control of software distribution on the hardware platforms used by billions of people.

[IncreasePosts]

Agreed with that. My main use of AI is just writing ultra minimal apps that are specifically tailored to my needs, instead of using a larger app(or plugin or whatever) that is controlled by a third party and is usually much more than I need, and doesn't exactly fit my needs, and requires ad hoc configuration.

I'm wondering when/if this is going to bite me in the butt

[hn_throwaway_99]

Thanks for posting this. I think it's such a shitty thing to do. I don't have much of a problem if an original author wanted to do a closed fork of an open source project, but to start injecting ads, without warning, to folks who have already installed your generic JSON formatter and phrase it as "I'm moving to a closed-source, commercial model in order to build a more comprehensive API-browsing tool with premium features." - seriously, f' off.

I agree that browser extension marketplaces are a failed experiment at this point. I used to run security an a fin services company, and our primary app had very strict Content Security Policy rules. We would get tons of notifications to our report-uri endpoint all the time from folks who had installed extensions that were doing lots of nefarious things.

[braebo]

We could use llms to scan source code and list all of the behavior not listed in the extensions page, like adware and geolocation tracking for example. Then another LLM locally to disable it and warn you with a message explaining the situation.

[j1elo]

> went closed source and started injecting adware into checkout pages ... [and] geolocation tracking.

Maybe we should resort to blame and shame publicly this sort of actions. DDoS their servers, fill their inbox with spam, review-bomb anything they do. Public court justice a la 4chan trolling. Selling out is a lawful decision, of course, but there is no reason it shouldn't come with a price tag of becoming publicly hated. In fact, it might help people who are on the verge to stay on the ethical side of things (very ironically).

I'm just kinda joking (but wouldn't hate it if I was rugpulled and the person that did it got such treatment)

[pigpop]

Calm down, just spreading the word that the extension is adware and having everyone uninstall it is sufficient to demonstrate that this move was a mistake. Trying to ruin someone's life is going completely overboard. Repercussions should be proportionate, you don't shoot people for stealing a candy bar.

[jkl5xx]

Agreed. Times are tough. Open source is under-appreciated. People are going to crack and slip up like this. We’re only human.

[fg137]

How did you "notice" a suspicious element in the inspector? Do you routinely look at the DOM?

[jkl5xx]

I did webdev for a long time, so yeah. If you want the story, I was looking into guix on asahi and ended up on https://www.asahi-guix.org/ which didn’t load anything, so I checked the page source and noticed the element.

[fg137]

Thanks. Not sure what's with the downvotes. That was a genuine question.

(I used to do a lot of web development and probably know dev tools better than most people here. However I almost never look at the DOM of a webpage I don't own)

[leptons]

I frequently look at the DOM of webpages, so that I can bend them to my will.

There's always some things about practically all websites are frustrating. I fix that with custom CSS and/or Javascript that runs when I load specific sites that I use frequently. I can turn a cluttered site into a streamlined site for my needs. I also block a lot of ads, popups and other annoyances this way.

[duskdozer]

Oh there's another. The web is so miserable nowadays, I waste so much time on this. You don't happen to open source your stuff do you?

[hn_throwaway_99]

Text doesn't transmit tone well. FWIW I interpreted your comment as having somewhat accusatory intent, especially the scare-quoted "notice", for implying the author didn't just happen along his discovery and that he wasn't being fully truthful in his explanation of how he discovered this info.

[ronsor]

> Do you routinely look at the DOM?

You don't?

[explodes]

> Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.

https://news.ycombinator.com/newsguidelines.html

Reading other comments, I noticed that this was a legitimate question.

[Dylan16807]

Are you saying that [You don't?] is cross-examining/swipe, but [How did you "notice"] isn't?

I wouldn't highly object to either but if I had to pick one I'd definitely clear the former.

[madeofpalk]

I do. Then again, I’m a web developer so looking at the DOM is my day job.

[dgb23]

I just imagined that this was an exclusive statement.

„What do you do all day?“

„Looking at the DOM. Currently there are too many divs, but the situation seems fine.“

[falcor84]

I was sure you're going to take it in the direction of the relevant xkcd [0], so was taken aback that you didn't end it with something like "but today the pattern of divs is all wrong".

[0] https://xkcd.com/722/

[cluckindan]

The extension injects its ”gimme money” elements even on localhost pages.