I have two Chrome extensions in the store. They're not very popular and are really just features I wanted for my own use. I think I have less than 100 users total.
At least once a week I get emails from people
- offering money to add their "tracking" code
- wanting to purchased the extension outright
What they clearly want is access to my modest install base to push questionable code onto. I certainly am not going for these offers, but I could certainly see someone less financially secure giving in to it, and that scares me a little.
The idea of paid malware insertion in smaller packages is kind of troubling in general. How often just in life in general do we just trust opaque binaries to be clean.
I'm guessing they go by keywords + user count (or something, maybe "last updated" too?) , as my extension is very country and context-specific, and I'm not getting that many offers (thankfully). More people reaching out saying thanks, which are better emails to receive anyways and some asking for the source code, which I'm happy to provide :)
They stopped emailing me eventually when I started responding with silly replies, these are some of the emails I got about Control Panel for Twitter (~220,000 users on Chrome):
That sort of thing is part of my usual spiel against automatic updates in most scenarios (and, when that's hard, pushing back on the reasons why it's hard rather than adding automatic updates):
- What security problems are we trying to prevent with automatic updates? The worst-case would be allowing an untrusted third-party to run arbitrary code on your computer.
- How did we fix it? We allow a different untrusted third-party to run arbitrary code on our computers.
Toss in a healthy dose of developers using "security updates" to enshittify a product, or even just screwing up releases from time to time and introducing more attack vectors than they fixed, and automatic updates don't look very attractive.
Did they seem personalized or do they just mass-mail every developer they can find? 100 users seem very little to go through the trouble of acquiring an extension and then push bad code.
Did they ever give you an idea of what they are ready to pay?
These rogue extensions are "surreptitiously monetizing web searches" - but doesn't Google conspicuously monetize web searches?
So it seems the Google TOS bans competition in search monetization using their "open source" browser. Isn't it odd that an "open source" browser is apparently designed to provide a monopoly on search monetization by the nice people who give it to you for free?
It seems like Peter Thiel's claim that google is a search advertising monopoly masquerading as a (competitive, non-monopoly) technology company might be spot on.
The "This extension may soon no longer be supported because it doesn't follow best practices for Chrome extensions" warning on the uBlock Origin listing is one the shadiest things on the Chrome Web Store.
donatj|1 year ago
At least once a week I get emails from people
- offering money to add their "tracking" code
- wanting to purchased the extension outright
What they clearly want is access to my modest install base to push questionable code onto. I certainly am not going for these offers, but I could certainly see someone less financially secure giving in to it, and that scares me a little.
The idea of paid malware insertion in smaller packages is kind of troubling in general. How often just in life in general do we just trust opaque binaries to be clean.
diggan|1 year ago
> At least once a week I get emails from people
My extension (https://chromewebstore.google.com/detail/privornot/fnpgifcbm...) currently says it has ~915 users. Usually the offers I get are in the $100-$200 range, but it's maybe once every 1-2 months I get an offer.
I'm guessing they go by keywords + user count (or something, maybe "last updated" too?) , as my extension is very country and context-specific, and I'm not getting that many offers (thankfully). More people reaching out saying thanks, which are better emails to receive anyways and some asking for the source code, which I'm happy to provide :)
insin|1 year ago
https://github.com/insin/control-panel-for-twitter/issues/38...
Some of them work in the open, I've had emails from the people behind this scam:
https://palant.info/2024/10/01/lies-damned-lies-and-impact-h...
hansvm|1 year ago
- What security problems are we trying to prevent with automatic updates? The worst-case would be allowing an untrusted third-party to run arbitrary code on your computer.
- How did we fix it? We allow a different untrusted third-party to run arbitrary code on our computers.
Toss in a healthy dose of developers using "security updates" to enshittify a product, or even just screwing up releases from time to time and introducing more attack vectors than they fixed, and automatic updates don't look very attractive.
luckylion|1 year ago
Did they ever give you an idea of what they are ready to pay?
potamic|1 year ago
emahhh|1 year ago
maxresdefault|1 year ago
lazyeye|1 year ago
Over2Chars|1 year ago
So it seems the Google TOS bans competition in search monetization using their "open source" browser. Isn't it odd that an "open source" browser is apparently designed to provide a monopoly on search monetization by the nice people who give it to you for free?
And being 80% or so of all searches: https://www.statista.com/statistics/216573/worldwide-market-...
It seems like Peter Thiel's claim that google is a search advertising monopoly masquerading as a (competitive, non-monopoly) technology company might be spot on.
grues-dinner|1 year ago
That's not a very deep insight, it's been pretty obvious since they bought out DoubleClick in 2007.
HeatrayEnjoyer|1 year ago
Otherwise I agree (even if it means agreeing with Peter Thiel in this case).
wbl|1 year ago
WrongAssumption|1 year ago
issafram|1 year ago
insin|1 year ago
creato|1 year ago
nubinetwork|1 year ago
Oh, you mean like google ads and android app ads? Because both think I'm either Chinese or Korean, despite being neither.
dylan604|1 year ago