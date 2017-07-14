Popular Chrome Extension Sold To New Dev Who Immediately Turns It Into Adware (bleepingcomputer.com) 160
An anonymous reader writes: A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware. The latest case is the Particle for YouTube Chrome extension, a simple tool that allows users to change the UI and behavior of some of YouTube's standard features. Because Google was planning major changes to YouTube's UI, the extension's original author decided to retire it and create a new one. This is when the a mysterious company approached the original author and offered to buy the extension from him for a price of his choosing. The original dev says he gave them a high price, but the company agreed to pay right away, but only after the dev signed an non-disclosure agreement preventing him from talking about the company or the transaction. Soon after the sale, the company issued an update that included code for injecting rogue ads on websites such as Google, Yahoo, Bing, Amazon, eBay, and Booking.com. Users also found other Chrome extensions that were also bought by the same company and had also been turned into adware, such as "Typewriter Sounds" and "Twitch Mini Player." According to some other Chrome extension devs, there are many companies willing to pay large sums of money for taking over legitimate Chrome extensions.
Sounds like Slashdot
Popular website gets sold to new owners, who proceed to add even more ads to the website while decreasing the quality of stories that are posted.
Re:Sounds like Slashdot
Run it in a VM if necessary.
Privoxy (https://www.privoxy.org/) works pretty well too -- especially for
/.
Thank you so much for sharing! Sent a donation their way.
Re:Sounds like Slashdot
Those guys will get what they deserve
A wall of almost-English text from APK about how his solution is superior?
the internet is eating its tail.
Good, because it has sucked balls for the last 5 years or so.
The top ad is annoying, but the side ad (and possibly JavaScript to keep it and the list of replies I have in the window) messes up scrolling for me. I need to right-click and have Chrome remove the content on every page load just to read Slashdot.
Re:Sounds like Slashdot
You mean you don't use an adblocker? Then you deserve what you get.
Re:Sounds like Slashdot
Re:Sounds like Slashdot
In my experiences, sites that do that don't really have anything of value for me to see anyway, so I just go away. If I think I really want to see the page, I'll disable javascript and 90% of the time the content loads fine. Often when I do that I wouldn't have missed much if I'd just closed the tab and gone on my way.
Re: (Score:3)
If they get no ad revenue from you, why should they care if they drive you away or not? You're just a freeloader adding to their overhead costs. (I say without having bothered to look at your posting history - maybe you're actually a valuable contributor whose posts help keep the ad-watching audience interested. But given the ever-declining comment quality here, that's not the way to bet for any particular freeloader.)
Re:Sounds like Slashdot
You mean you don't use an adblocker?
No, I don't, because I know that
/. is supported by nothing but ad revenue, and if I want it to continue the owners have to make money to pay for their costs and hopefully make a little profit. It would be extremely selfish of me to deprive them of their revenue source while making use of their resources.
Then you deserve what you get.
If everybody uses ad-blockers, what we're all going to get is one giant paywall.
There are certainly people who won't tolerate any ads, but most people understand they're a source of revenue for sites to pay the bills. However, I think most people wouldn't complain about a JPEG or an animated GIF that didn't load Javascript and wasn't pushing out or hiding malicious content. The problem is the ridiculous amount of scripts and trackers, many of which do push out malicious content to users. I personally have encountered malicious ads on this site, redirecting me to install bogus software
Re: Sounds like Slashdot
We had Katz for awhile. I hope he wasn't getting paid though.
Re:Sounds like Slashdot
When the banner ad showed up, I mentioned that my adblocker didn't work on it. Someone suggested uBlock Origin, which is what I now use. No ads anywhere.
Looking at the uBlock icon above, it is blocking 11 items on this page. A couple days ago, one site had over 100 items blocked, with a few more new things being blocked every few seconds. I closed the tab soon after I finished reading the news item, and the count was about 170.
Here are the uBlock filters I have for Slashdot:
slashdot.org##article:not([data-fhtype])
slashdot.org##iframe
I've noticed a fair chunk of Javascript lately, is used to open|create websockets, and when a piece of that fails, due to inline-script block or similar, it causes the ad-block counters to run off the charts. Except when the websocket wasn't blocked? Firefox climed to 8GB of Ram in less than 30 mins.
Re: (Score:3)
That's why I also run ghostery (no I don't have it log in to their cloud). Slashdot has on average about 8 unnecessary javascript trackers on any given page.
Aye, but uMatrix with just a handful of default rules blocks 99%+ of what Ghostery & uBlock do.
Re: Sounds like Slashdot
When you close a browser tab on Slashdot there is even a spinner widget of some sort at the screen bottom now, so the scripting even responds to the user manually closing a tab. That's a little eerie because I specifically close a tab to not iteract with a page anymore. It's not as bad as pages that throw pleading popups when you try to close, of course.
No need, except for the fact that the one I used didn't get rid of the banner ad. It made it go away only until I refreshed the page, or went to another story. Then the ad banner was back. So someone recommended uBlock, and that's what I switched to.
You can consider my post an ad if you want. I don't care.
Ads on slashdot? Never see them. Let my fire up my adblock/noscript free browser instance and see what Slashdot really looks like. Just a few seconds here...
Nope. Not seeing it. There's a small two line long advert at the top in beige and no images., it's no thicker than the normal headline+post details. There is all the stuff on the left but it's not hiding any text, and the majority vanished once I logged in.
Missed opportunity (Score:5, Funny)
Crap. Something told me I should have written some stupid, pointless yet viral Chrome extension a year ago.
Gotta hand it to them, this is lemonade from lemons no?
Google: morons (Score:2, Insightful)
We have known this has been happening for over a year [tumblr.com].
Still, this is approved, accepted and endorsed behavior, while AdNauseam is not [adnauseam.io].
Do no evil - not.
Re: Google: morons
Blocking an attempt to commit widespread fraud is not evil. You're lucky to not go to jail for running AdNauseam, since it is literally draining people's bank accounts on false pretenses. (And actually sending that money to google... but they block it anyway because they don't want to be dishonest.)
Re: Missed opportunity
Is it too late? I suppose you need to make it interesting enough that people will install it.
If the NDA is used by anyone at least half competent, you won't find out what you are agreeing to not disclose until AFTER you have signed the agreement.
Future NDA clause: I hereby certify that I have never acted out the ___________ in a game of charades....
Re: (Score:1)
"communicated, or caused to be communicated" would cover it.
Give it to them in writing. Or sing it in a song? Draw some pictures?
Future NDA clause: I hereby certify that I have never acted out the ___________ in a game of charades....
I can get around that.
When I was a kid, every Sunday was game night. We either played board games like Monopoly or Life, or card games, or one game that I later found out was called Charades. We called it Cookie Barrel, because the slips of paper we acted out were in a giant cookie jar that looked like a wood barrel, and it had a 'sign' on the side that said "Cookie Barrel".
Kinda like this one: http://www.laurelleaffarm.com/... [laurelleaffarm.com]
So, unless the NDA specifically says I am not allowed to play Cookie Barrel conce
It is called a Non DISCLOSURE Agreement for a reason.
Brilliant (Score:1, Insightful)
Re:Brilliant
Now we just need Google to update the Chrome extension policy to require
The Developer MUST notify Google prior to any sale or acquiring, disposing, or changing beneficial ownership regarding any app software And disclose to all users the sale 30 days prior to any further software updates, details of the acquirer, and any other business the acquirer has regarding Chrome-related extensions, Otherwise, the author and publisher of any updated version agree to each pay Google the sum of $10 Million dollars, in the event the original developer or acquirer is negligent in their duty to notify.
Re:Brilliant
That's not realistic. If Microsoft makes an extension, they can't notify Google every time some little old lady buys or sells some shares from her retirement account. Similarly, if your chrome extension is owned by some Ireland holding company, and it is in turn owned by some Cayman holding company, and it is in turn owned by some, etc., there's no way to know or get reports that every entity that holds any stake has to report when it sells. And you don't even have to own the entity to get its profits. Your holding company in China can have a mere contract with your Cayman holding company for assignment of all profits *without* ownership. You can have another contract with some McKinsey consultant that she has administrative access *without* ownership. Many celebrities contract out their twitter and facebook accounts to professional management teams. Are they the owners of the twitter/facebook account? Like most laws, such a policy trying to "fix" the problem will only affect honest, good people, and have ZERO effect on the dishonest people it's trying to deal with since the dishonest bunch are more than happy to create a Russian nesting doll of legal entities and a labyrinth of contracts and profit assignments that would make a veteran CPA cry into a fetal position.
Re: Brilliant
If Microsoft makes an extension, they can't notify Google every time some little old lady buys or sells some shares from her retirement account.
Such immaterial transactions are not a change of beneficial ownership.
and it is in turn owned by some Cayman holding company, and it is in turn owned by some, etc., there's no way to know or get reports that every entity that holds any stake has to report when it sells.
It is in fact doable, and many companies already have such terms you have to sign for certai
And the day after, 0 extensions are developed for Chrome. Or to paraphrase Sterling Archer:
"Do you want to kill Chrome extension development completely? Because this is how you kill Chrome extension development completely"
A more realistic approach (Score:1)
Now we just need Google to update the Chrome extension policy to require
The Developer MUST notify Google prior to any sale or acquiring, disposing, or changing beneficial ownership regarding any app software
Better: Whether a program changes hands or not, impose a requirement that new versions which are "substantially different" from previous versions with respect to feature-removal or the addition of revenue- or marketing-components will require a big bold warning and will not be eligible for any kind of automated updates from prior versions.
Furthermore, reviews based on previous versions will be segregated from reviews of new versions. In such cases, developers will be encouraged to keep the "old" version a
My client and his LLC did not sell, dispose of, or change beneficial ownership of his plugin. They did enter into a an arrangement in which a outside contractor performed some technical work in exchange for profit-sharing guarantee in which the LLC pays them a fraction of net revenue for a specified period.
Yours Truly,
The first (but not the last) lawyer to poke a hole in your laughable terms.
[ Or, snark aside, there's plenty of ways for a plugin writer to change from good-guy to bad-guy without doing anythi
No.
If the software in question ran outside of your browser, you would have immediately seen how silly this whole situation is, and how inadequate your proposed change is. So, ask yourself: what if the new version of a thing had adware, but that this was Python, or Thunar, or mpv or Apache or
...
We are fundamentally mis-handling how we get browser extensions. Google should have no say and no power in this, unless people just happen to think th
I would call it clever, but not smart. Normally after abuse of a system which is left open for reasons of trying to be nice. Will tightly close down to more of the Apple Store Model, where these things are checked more thoroughly and rejected.
The obvious question (Score:2)
Is there a Chrome extension to track shitty adware Chrome extensions?
"Users also found other Chrome extensions that were also bought by the same company..."
Or perhaps there's a way we can simply put in a filter and block this particular company...
Re: (Score:3)
There is but the company from the article bought it.
;)
Indecent Proposal (Score:2)
I wonder if Robert Redford would do a remake.
And as a dev, would I do it for a million dollars? Hmmm...
Souls must go for a shitload of money (Score:5, Insightful)
With the NDA, the adware will be blamed on the original developer (who's name would be on the Chrome App Store). I imagine that this could result in some cursing in various forums as well as hurtful ratings on the App Store. The biggest issue that I can see is when the developer is looking for a job; a simple Google search will identify the developer as scum-sucking vermin (or something worse) - with no way of (legally) explaining the situation to the prospective employer.
So, I would think that the payment must be enough for the developer to live comfortably for the rest of their lives under a new name.
With the NDA, we should probably not mention precisely what type of extension was sold, how the transaction went down, and so forth....
If the NDA is really that strict then it likely won't be enforceable if they took him to court, which would defeat the purpose of the NDA to start with since now their shenanigans are public records which the app developer can share with everyone.
Re:Souls must go for a shitload of money
> If the NDA is really that strict then it likely won't be enforceable if they took him to court
And therein lies the problem. Sure it's not enforceable but how many developers - especially ones looking for a job like in OPs example - have a bunch of cash they want to burn through to defend themselves in court over it?
Even an unenforceable NDA has a chilling effect if you can't pay to negate it in court.
"Even an unenforceable NDA has a chilling effect if you can't pay to negate it in court."
Go to court. See that little thing on the filing papers where it says "Waive all fees as I cannot afford attorneys or other filing fees, etc."
Check that little box, prove you can't afford an attorney to the judge, and get the NDA fucked anyways.
Re: Souls must go for a shitload of money
Re: (Score:2)
That is one of the stupidest ideas I've heard all year. Your advice is to represent yourself in a contract dispute - which is something 99.999% of the planet is NOT equipped to do. Might as well not waste everyone's time including your own and just get to the penalties phase. That way you can avoid paying court costs.
Re: Souls must go for a shitload of money
Even an unenforceable NDA has a chilling effect if you can't pay to negate it in court.
This isn't David vs Goliath. The small scam company is even less likely to want to engage in a frivolous lawsuit than the developer wanting to defend it. And given that the story has already come out with exactly the kind of details that you suggest are being sequestered
... well the number is at least 1.
with no way of (legally) explaining the situation to the prospective employer.
You can't NDA yourself in to a position where you are unable to lay correct claim to property. He is likely legally barred from describing the transaction itself, but that's a far step from being barred for saying e.g. "I sold the business to a 3rd party and had nothing to do with the plugin update."
After all, non-disclosure agreements are non-disclosure agreements. They aren't "lie about ownership" agreements.
Re:Souls must go for a shitload of money
RTFA and look at the Particle extension (https://chrome.google.com/webstore/detail/particle/bpmpggcmojdddlmihdbobccijhkkjpan?hl=en). Still the original author.
I'm pretty sure the NDA says the author IS barred from saying "I sold the business to a 3rd party and had nothing to do with the plugin update." The individual/company buying the extension want to take advantage of the goodwill the author originally came up with.
Hopefully, for Aiden, he got enough money to make it worth it.
And hopefully, for the rest of the world, he gets sued into oblivion or goes to jail for it. If you agree to not disclose the fact that you sold something, that should be an agreement to continue to take legal responsibility for the actions of those you secretly sold to.
Re: (Score:2)
Agreed.
Re: (Score:3)
I'm pretty sure the NDA says the author IS barred from saying "I sold the business to a 3rd party and had nothing to do with the plugin update."
I'm sure it does say that. However that would make it not legally enforceable. As I said you can't NDA away your ability to lay claim to property. I can't make you sign an NDA that says you're not allowed to tell anyone you no longer own your house after you sell it. There are many things you can try and sign away that legally you can't actually do.
barc0001's comment is the best on this thread.
Maybe they can't, but how many people can afford to defeat their challenge to the legality of of what you signed in court?
Well, he already did exactly that (at least on Github)
https://github.com/ParticleCor... [github.com]
Re: (Score:2)
find out who this spammer is (Score:1)
Did he say to end it there? I considered it a suggestion what to do for the entree. Ya know, the "get to know you" phase of the days to follow. Torture is much more personal and rewarding when you get to know your victim and what breaks not only their body but also their mind and soul.
Irony (Score:1)
Adverts (Score:2)
Says the website giving me all kinds of shitty ads, since selling out, despite paying years ago for the "Disable Advertising" button.
I Ghostery'd the fucker years ago, but just checked and - yep - ads over all the fucking Slashdot pages.
I get this periodically for my little FF extension (Score:2)
Little? I've a FF extension with about six thousand users, and I regularly get these offers as well.
Got hit by this last week (Score:2)
Same here, almost. I had been using youtube plus, and I had hand-audited the code and made modifications to remove any google analytics that was embedded. Then it updated, but luckily when I saw the extension get renamed and then it wanted further permissions to view data on ALL sites not just youtube, I knew something was up. I had seen postings about this sort of practice before with popular extensions getting bought out by scummy companies to abuse the install base.
So I just promptly clicked the remove b
What if he is a victim of a hack? (Score:2)
Let us say his computer gets hacked and some unknown thirdparty finds all the dirty laundry. And this hacker blabs all over the media about the deal. Now the original developer is not responsible for the behavior of the hacker right? She/He is also a victim of the hacker. If the original developer is able to show that she/he was not negligent then she/he is off the hook.
I am not suggesting the original hacker to leak all information and bla
Auto Update (Score:3)
This is why you turn auto update OFF for apps and plugins.
Let shit notify you that updates are available. But don't let shit automatically apply them.
Re: Auto Update
Hapens with Android apps too (Score:3)
I suddenly saw that my favorite simple calculator app was bought by some (Austrian I think) company who added some caller ID spyware in it. Fortunately I kept the apk of an older version around. When I reaearched I found out this shit company (Appsbuyout) does this with more apps.
This kind of thing is fraud, and it is high time that any developer or company that buys the developer or an app needs to be held to account, criminally (i.e. PMITA prison time) for the practice of selling an app, then updating it later removing features or adding adware/other unwanted shit not in the original app that you bought.
It is like buying a car, and then when you take it in for a oil change the dealer rips out the seats and replaces them with lawn chairs while selling the seats to a third party. I
Chrome Store links in the summary seem dead now (Score:1)
The links to the Chrome Store mentioned in the summary seem to be dead now.
Not new (Score:3)
Here's a story from 2014 [latimes.com] about the same thing. I got bit by this bogus behavior around this time, too. I can't remember what the extension was, but whatever it was was something very useful that I probably don't miss now that I can't remember it.
Yup (Score:2)
Been happening for a while now, which is why I went plugin agnostic with only big names not expected to sellout anytime soon.
bring me a lawyer! (Score:2)
"The original dev says he gave them a high price, but the company agreed to pay right away, but only after the dev signed an non-disclosure agreement preventing him from talking about the company or the transaction. "
Trouble?
Fuck LavaSoft AdAware too (Score:1)
Same sort of thing happened to Lavasoft AdAware which was once trusted anti-malware anti-adware software. AVOID IT! https://malwaretips.com/threads/lavasofts-new-scam-artist-owners.3279/ https://en.wikipedia.org/wiki/Lavasoft#Controversies
Thanks for the headsup, I had it installed on relatives windows box. Gotta head over sometime and uninstall that.
The problem is chrome (Score:2)
Chrome does not allow to disable updates, it doesn't even notify you of extension updates.
Then it is clear, why people buy addons to buy userbases. You can push whatever code you want to the users. Be glad, they didn't replace your banking site with some phishing website.
Unless the two posts are by the same AC. (Probably BeauHD and msmash trying to drive up the comment count to pretend to stay relevant.)
Re: (Score:2)
Re:People trust extensions.
i just use a *hosts file.
* if you mention hosts file in a slashdot thread, or in a dark room, say "apk" 3 times in front of a mirror, you'll summon... HIM -- and you'll get a very detailed explanation (whether you want it or not.) on how a hosts file can keep you safe from all sorts of shenanigans.
Re: (Score:3)
Can APK make a host file so strong that not even APK can spam through it?
The parents punish the children for their hunger. I'm happy to feed all the poor children, if we take them from their parents who decide to have kids when they don't have the money to support them. Follow that up with spay-n-neuter of the parents, and the situation will be under control very soon.
