Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Chrome Extension Sold To New Dev Who Immediately Turns It Into Adware (bleepingcomputer.com)

Posted by msmash on from the that-escalated-quickly dept.

An anonymous reader writes: A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware. The latest case is the Particle for YouTube Chrome extension, a simple tool that allows users to change the UI and behavior of some of YouTube's standard features. Because Google was planning major changes to YouTube's UI, the extension's original author decided to retire it and create a new one. This is when the a mysterious company approached the original author and offered to buy the extension from him for a price of his choosing. The original dev says he gave them a high price, but the company agreed to pay right away, but only after the dev signed an non-disclosure agreement preventing him from talking about the company or the transaction. Soon after the sale, the company issued an update that included code for injecting rogue ads on websites such as Google, Yahoo, Bing, Amazon, eBay, and Booking.com. Users also found other Chrome extensions that were also bought by the same company and had also been turned into adware, such as "Typewriter Sounds" and "Twitch Mini Player." According to some other Chrome extension devs, there are many companies willing to pay large sums of money for taking over legitimate Chrome extensions.

29 of 187 comments (clear)

  1. Sounds like Slashdot by Anonymous Coward · · Score: 5, Insightful

    Popular website gets sold to new owners, who proceed to add even more ads to the website while decreasing the quality of stories that are posted.

    1. Re:Sounds like Slashdot by courteaudotbiz · · Score: 5, Insightful

      I would add that for the past 3 -4 months, the top banner is so invasive as to cover a third of the content, even when I scroll down. Ads on /. are getting annoying to the point that the site looks more like a giant advert than a geek site.

    2. Re:Sounds like Slashdot by Known+Nutter · · Score: 4, Informative

      https://pi-hole.net/

      Run it in a VM if necessary.

      --
      Beware of the Leopard.
    3. Re:Sounds like Slashdot by I'm+New+Around+Here · · Score: 5, Informative

      When the banner ad showed up, I mentioned that my adblocker didn't work on it. Someone suggested uBlock Origin, which is what I now use. No ads anywhere.

      Looking at the uBlock icon above, it is blocking 11 items on this page. A couple days ago, one site had over 100 items blocked, with a few more new things being blocked every few seconds. I closed the tab soon after I finished reading the news item, and the count was about 170.

      --
      If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
    4. Re:Sounds like Slashdot by johanw · · Score: 4, Informative

      You mean you don't use an adblocker? Then you deserve what you get.

    5. Re:Sounds like Slashdot by K.+S.+Kyosuke · · Score: 4, Funny

      Those guys will get what they deserve

      A wall of almost-English text from APK about how his solution is superior?

      --
      Ezekiel 23:20
    6. Re:Sounds like Slashdot by bettodavis · · Score: 3, Insightful

      Sadly, more and more sites have adblocker detectors, and pester you about whitelisting them or plainly refuse to show their content.

    7. Re:Sounds like Slashdot by Trailer+Trash · · Score: 4, Insightful

      You mean you don't use an adblocker?

      No, I don't, because I know that /. is supported by nothing but ad revenue, and if I want it to continue the owners have to make money to pay for their costs and hopefully make a little profit. It would be extremely selfish of me to deprive them of their revenue source while making use of their resources.

      Then you deserve what you get.

      If everybody uses ad-blockers, what we're all going to get is one giant paywall.

      --
      Do you have ESP?
    8. Re:Sounds like Slashdot by caseih · · Score: 3, Insightful

      In my experiences, sites that do that don't really have anything of value for me to see anyway, so I just go away. If I think I really want to see the page, I'll disable javascript and 90% of the time the content loads fine. Often when I do that I wouldn't have missed much if I'd just closed the tab and gone on my way.

    9. Re:Sounds like Slashdot by caseih · · Score: 2

      That's why I also run ghostery (no I don't have it log in to their cloud). Slashdot has on average about 8 unnecessary javascript trackers on any given page.

    10. Re:Sounds like Slashdot by CrashNBrn · · Score: 2

      Aye, but uMatrix with just a handful of default rules blocks 99%+ of what Ghostery & uBlock do.

      * * * block
      * * css allow
      * * frame block
      * * image allow
      * 1st-party * allow
      * 1st-party frame allow

      #Allow rules so stuff works, AND
      #If /. still used google or amazon ads, then I would still see some ads here.

      slashdot.org * cookie block
      slashdot.org * css inherit
      slashdot.org * image inherit
      slashdot.org fsdn.com * allow
      slashdot.org rpxnow.com * allow
      slashdot.org slashcdn.com * allow
      slashdot.org slashdot.org cookie allow
      slashdot.org slashdotmedia.com * allow
      slashdot.org doubleclick.net * allow
      slashdot.org doubleclick.net frame allow
      slashdot.org google.com * allow
      slashdot.org google.com frame allow
      slashdot.org googleads.g.doubleclick.net frame allow
      slashdot.org googleadservices.com * allow
      slashdot.org s3-us-west-2.amazonaws.com * allow

    11. Re:Sounds like Slashdot by chuckugly · · Score: 2

      Either way they get no ad revenue from me, one way they drive me to an alternative, one way they don't.

    12. Re:Sounds like Slashdot by chuckugly · · Score: 2

      Yeah it's up to them whether the minuscule cost of me visiting X without seeing ads is worth the fact that if I'm not citing or linking X to my friends and so on, I will in fact be linking, recommending, and citing Y instead. I say let the market decide which is worth more. *shrug*

    13. Re: Sounds like Slashdot by that+this+is+not+und · · Score: 2

      We had Katz for awhile. I hope he wasn't getting paid though.

  2. Missed opportunity by Dan+East · · Score: 4, Funny

    Crap. Something told me I should have written some stupid, pointless yet viral Chrome extension a year ago.

    --
    Better known as 318230.
  3. Souls must go for a shitload of money by mykepredko · · Score: 5, Insightful

    With the NDA, the adware will be blamed on the original developer (who's name would be on the Chrome App Store). I imagine that this could result in some cursing in various forums as well as hurtful ratings on the App Store. The biggest issue that I can see is when the developer is looking for a job; a simple Google search will identify the developer as scum-sucking vermin (or something worse) - with no way of (legally) explaining the situation to the prospective employer.

    So, I would think that the payment must be enough for the developer to live comfortably for the rest of their lives under a new name.

    --
    Mimetics Inc. Twitter
    1. Re:Souls must go for a shitload of money by barc0001 · · Score: 4, Insightful

      > If the NDA is really that strict then it likely won't be enforceable if they took him to court

      And therein lies the problem. Sure it's not enforceable but how many developers - especially ones looking for a job like in OPs example - have a bunch of cash they want to burn through to defend themselves in court over it?

      Even an unenforceable NDA has a chilling effect if you can't pay to negate it in court.

    2. Re:Souls must go for a shitload of money by mykepredko · · Score: 3, Informative

      RTFA and look at the Particle extension (https://chrome.google.com/webstore/detail/particle/bpmpggcmojdddlmihdbobccijhkkjpan?hl=en). Still the original author.

      I'm pretty sure the NDA says the author IS barred from saying "I sold the business to a 3rd party and had nothing to do with the plugin update." The individual/company buying the extension want to take advantage of the goodwill the author originally came up with.

      Hopefully, for Aiden, he got enough money to make it worth it.

      --
      Mimetics Inc. Twitter
    3. Re:Souls must go for a shitload of money by thegarbz · · Score: 2

      I'm pretty sure the NDA says the author IS barred from saying "I sold the business to a 3rd party and had nothing to do with the plugin update."

      I'm sure it does say that. However that would make it not legally enforceable. As I said you can't NDA away your ability to lay claim to property. I can't make you sign an NDA that says you're not allowed to tell anyone you no longer own your house after you sell it. There are many things you can try and sign away that legally you can't actually do.

  4. Re:Brilliant by mysidia · · Score: 3, Informative

    Now we just need Google to update the Chrome extension policy to require
    The Developer MUST notify Google prior to any sale or acquiring, disposing, or changing beneficial ownership regarding any app software And disclose to all users the sale 30 days prior to any further software updates, details of the acquirer, and any other business the acquirer has regarding Chrome-related extensions, Otherwise, the author and publisher of any updated version agree to each pay Google the sum of $10 Million dollars, in the event the original developer or acquirer is negligent in their duty to notify.

  5. Re:People trust extensions. by rogoshen1 · · Score: 5, Funny

    i just use a *hosts file.

    * if you mention hosts file in a slashdot thread, or in a dark room, say "apk" 3 times in front of a mirror, you'll summon... HIM -- and you'll get a very detailed explanation (whether you want it or not.) on how a hosts file can keep you safe from all sorts of shenanigans.

  6. Re:Brilliant by Lobachevsky · · Score: 5, Insightful

    That's not realistic. If Microsoft makes an extension, they can't notify Google every time some little old lady buys or sells some shares from her retirement account. Similarly, if your chrome extension is owned by some Ireland holding company, and it is in turn owned by some Cayman holding company, and it is in turn owned by some, etc., there's no way to know or get reports that every entity that holds any stake has to report when it sells. And you don't even have to own the entity to get its profits. Your holding company in China can have a mere contract with your Cayman holding company for assignment of all profits *without* ownership. You can have another contract with some McKinsey consultant that she has administrative access *without* ownership. Many celebrities contract out their twitter and facebook accounts to professional management teams. Are they the owners of the twitter/facebook account? Like most laws, such a policy trying to "fix" the problem will only affect honest, good people, and have ZERO effect on the dishonest people it's trying to deal with since the dishonest bunch are more than happy to create a Russian nesting doll of legal entities and a labyrinth of contracts and profit assignments that would make a veteran CPA cry into a fetal position.

  7. Got hit by this last week by ThomasSpaziani · · Score: 2

    Out of nowhere, any site I went to and clicked anywhere on the page would open popups and other webpages.. I narrowed it down to my video downloader extension. Seems these guys are on a crusade to buy up a lot of them.

  8. Auto Update by sexconker · · Score: 2

    This is why you turn auto update OFF for apps and plugins.
    Let shit notify you that updates are available. But don't let shit automatically apply them.

  9. Hapens with Android apps too by johanw · · Score: 2

    I suddenly saw that my favorite simple calculator app was bought by some (Austrian I think) company who added some caller ID spyware in it. Fortunately I kept the apk of an older version around. When I reaearched I found out this shit company (Appsbuyout) does this with more apps.

  10. Re:Google: morons by Gavagai80 · · Score: 2

    Blocking an attempt to commit widespread fraud is not evil. You're lucky to not go to jail for running AdNauseam, since it is literally draining people's bank accounts on false pretenses. (And actually sending that money to google... but they block it anyway because they don't want to be dishonest.)

    --
    This space intentionally left blank
  11. Not new by Balthisar · · Score: 2

    Here's a story from 2014 about the same thing. I got bit by this bogus behavior around this time, too. I can't remember what the extension was, but whatever it was was something very useful that I probably don't miss now that I can't remember it.

    --
    --Jim (me)
  12. Re:People trust extensions. by radarskiy · · Score: 2

    Can APK make a host file so strong that not even APK can spam through it?

  13. Re:The obvious question by JackieBrown · · Score: 2

    There is but the company from the article bought it. ;)