Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Chrome Businesses Privacy Security The Almighty Buck

Popular Chrome Extension Sold To New Dev Who Immediately Turns It Into Adware (bleepingcomputer.com) 187

An anonymous reader writes: A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware. The latest case is the Particle for YouTube Chrome extension, a simple tool that allows users to change the UI and behavior of some of YouTube's standard features. Because Google was planning major changes to YouTube's UI, the extension's original author decided to retire it and create a new one. This is when the a mysterious company approached the original author and offered to buy the extension from him for a price of his choosing. The original dev says he gave them a high price, but the company agreed to pay right away, but only after the dev signed an non-disclosure agreement preventing him from talking about the company or the transaction. Soon after the sale, the company issued an update that included code for injecting rogue ads on websites such as Google, Yahoo, Bing, Amazon, eBay, and Booking.com. Users also found other Chrome extensions that were also bought by the same company and had also been turned into adware, such as "Typewriter Sounds" and "Twitch Mini Player." According to some other Chrome extension devs, there are many companies willing to pay large sums of money for taking over legitimate Chrome extensions.
This discussion has been archived. No new comments can be posted.

Popular Chrome Extension Sold To New Dev Who Immediately Turns It Into Adware

Comments Filter:
  • by Anonymous Coward on Friday July 14, 2017 @02:14PM (#54810307)

    Popular website gets sold to new owners, who proceed to add even more ads to the website while decreasing the quality of stories that are posted.

    • by courteaudotbiz ( 1191083 ) on Friday July 14, 2017 @02:36PM (#54810481) Homepage
      I would add that for the past 3 -4 months, the top banner is so invasive as to cover a third of the content, even when I scroll down. Ads on /. are getting annoying to the point that the site looks more like a giant advert than a geek site.
      • by Known Nutter ( 988758 ) on Friday July 14, 2017 @02:41PM (#54810517)
        https://pi-hole.net/ [pi-hole.net]

        Run it in a VM if necessary.
      • The top ad is annoying, but the side ad (and possibly JavaScript to keep it and the list of replies I have in the window) messes up scrolling for me. I need to right-click and have Chrome remove the content on every page load just to read Slashdot.

        • by johanw ( 1001493 ) on Friday July 14, 2017 @04:06PM (#54811045)

          You mean you don't use an adblocker? Then you deserve what you get.

          • by bettodavis ( 1782302 ) on Friday July 14, 2017 @05:34PM (#54811423)
            Sadly, more and more sites have adblocker detectors, and pester you about whitelisting them or plainly refuse to show their content.
            • by caseih ( 160668 ) on Friday July 14, 2017 @06:04PM (#54811513)

              In my experiences, sites that do that don't really have anything of value for me to see anyway, so I just go away. If I think I really want to see the page, I'll disable javascript and 90% of the time the content loads fine. Often when I do that I wouldn't have missed much if I'd just closed the tab and gone on my way.

            • Either way they get no ad revenue from me, one way they drive me to an alternative, one way they don't.
              • Re: (Score:2, Funny)

                by Immerman ( 2627577 )

                If they get no ad revenue from you, why should they care if they drive you away or not? You're just a freeloader adding to their overhead costs. (I say without having bothered to look at your posting history - maybe you're actually a valuable contributor whose posts help keep the ad-watching audience interested. But given the ever-declining comment quality here, that's not the way to bet for any particular freeloader.)

                • Yeah it's up to them whether the minuscule cost of me visiting X without seeing ads is worth the fact that if I'm not citing or linking X to my friends and so on, I will in fact be linking, recommending, and citing Y instead. I say let the market decide which is worth more. *shrug*
            • Indeed many sites throw a screen-sized remove-adblock message at you covering up content. Most can be handled though, e.g. in Chrome go into Inspect [ Ctrl-Shift-I , "Elements"], easily identify the offending element (auto highlights), right click - Delete element, and reload page. Takes a few seconds. The armies of evil will have to attack us with something more complex.
          • by Trailer Trash ( 60756 ) on Friday July 14, 2017 @05:45PM (#54811453) Homepage

            You mean you don't use an adblocker?

            No, I don't, because I know that /. is supported by nothing but ad revenue, and if I want it to continue the owners have to make money to pay for their costs and hopefully make a little profit. It would be extremely selfish of me to deprive them of their revenue source while making use of their resources.

            Then you deserve what you get.

            If everybody uses ad-blockers, what we're all going to get is one giant paywall.

            • If everybody uses ad-blockers, what we're all going to get is one giant paywall.

              That is fine.

              The price is too high (losing control of my hardware/software), so that means no commerce at all.

              That is fine with me. I do not need them but they do need my money or some way to monetize me. They will die and I will live. Am I supposed to cry?

              Perhaps if they lowered their price we would do business of some sort but they want it all and will not compromise. Fine. Die.

          • I don't mind ads if they are unobtrusive. Want to put in a banner ad and a sidebar ad? Fine. I consider the minor annoyance worth it if it brings the site enough revenue to continue to function. However, if the ad floods the entire top half of the screen and/or interferes with scrolling in an effort to keep the ad on screen, then that's too much.

            I'm actually considering getting an ad blocker and only setting it for ads that cause issues like these.

      • by I'm New Around Here ( 1154723 ) on Friday July 14, 2017 @03:33PM (#54810865)

        When the banner ad showed up, I mentioned that my adblocker didn't work on it. Someone suggested uBlock Origin, which is what I now use. No ads anywhere.

        Looking at the uBlock icon above, it is blocking 11 items on this page. A couple days ago, one site had over 100 items blocked, with a few more new things being blocked every few seconds. I closed the tab soon after I finished reading the news item, and the count was about 170.

        • by Anonymous Coward

          Here are the uBlock filters I have for Slashdot:

          slashdot.org##article:not([data-fhtype])
          slashdot.org##iframe

        • I've noticed a fair chunk of Javascript lately, is used to open|create websockets, and when a piece of that fails, due to inline-script block or similar, it causes the ad-block counters to run off the charts. Except when the websocket wasn't blocked? Firefox climed to 8GB of Ram in less than 30 mins.

          • by caseih ( 160668 )

            That's why I also run ghostery (no I don't have it log in to their cloud). Slashdot has on average about 8 unnecessary javascript trackers on any given page.

            • Aye, but uMatrix with just a handful of default rules blocks 99%+ of what Ghostery & uBlock do.

              * * * block
              * * css allow
              * * frame block
              * * image allow
              * 1st-party * allow
              * 1st-party frame allow

              #Allow rules so stuff works, AND
              #If /. still used google or amazon ads, then I would still see some ads here.

              slashdot.org * cookie block
              slashdot.org * css inherit
              slashdot.org * image inherit
              slashdot.org fsdn.com * allow
              slashdot.org rpxnow.com * allow
              slashdot.org slashcdn.com * allow
              slashdot.org slashdot.org cookie a

        • When the banner ad showed up, I mentioned that my adblocker didn't work on it. Someone suggested uBlock Origin, which is what I now use. No ads anywhere.

          I just use noscript. I am not allergic to advertising or anything and would love to support Slashdot and similar sites by not blocking their ads... so I do not block their ads.

          But I will burn in hell before I allow anyone to run a script on my computer.

          Since I do not allow scripts and the advertisers are not satisfied without using scripts to control my "experience", I do not see any ads.

          On another note, I visited Slashdot the other day on a browser without noscript... Holy SHIT! The site is unreadable. It

          • I just looked at slashdot with Internet Explorer, and you're right. It's crazy with shit. I wouldn't mind seeing the weekly poll under my usual Chrome view of the site, or "This day in history". But if it is in a frame with a ton of ads, it's gone.

      • Ads on slashdot? Never see them. Let my fire up my adblock/noscript free browser instance and see what Slashdot really looks like. Just a few seconds here...
        Nope. Not seeing it. There's a small two line long advert at the top in beige and no images., it's no thicker than the normal headline+post details. There is all the stuff on the left but it's not hiding any text, and the majority vanished once I logged in.

      • When I started reading /. (which is about a year before I first created this account) I was happy to exclude it in adblock as the advertising was mostly on target and not intrusive. About 6 months ago I reversed this situation so for this user at least the increase in advertising will mean LESS revenue.

        Good job.

  • by Dan East ( 318230 ) on Friday July 14, 2017 @02:16PM (#54810319) Homepage Journal

    Crap. Something told me I should have written some stupid, pointless yet viral Chrome extension a year ago.

    • Gotta hand it to them, this is lemonade from lemons no?

    • Google: morons (Score:2, Insightful)

      by emil ( 695 )

      We have known this has been happening for over a year [tumblr.com].

      Still, this is approved, accepted and endorsed behavior, while AdNauseam is not [adnauseam.io].

      Do no evil - not.

      • Blocking an attempt to commit widespread fraud is not evil. You're lucky to not go to jail for running AdNauseam, since it is literally draining people's bank accounts on false pretenses. (And actually sending that money to google... but they block it anyway because they don't want to be dishonest.)

  • Brilliant (Score:1, Insightful)

    As devious and underhanded as this might be, it's actually pretty smart.
    • Re:Brilliant (Score:4, Informative)

      by mysidia ( 191772 ) on Friday July 14, 2017 @02:42PM (#54810531)

      Now we just need Google to update the Chrome extension policy to require
      The Developer MUST notify Google prior to any sale or acquiring, disposing, or changing beneficial ownership regarding any app software And disclose to all users the sale 30 days prior to any further software updates, details of the acquirer, and any other business the acquirer has regarding Chrome-related extensions, Otherwise, the author and publisher of any updated version agree to each pay Google the sum of $10 Million dollars, in the event the original developer or acquirer is negligent in their duty to notify.

      • Re:Brilliant (Score:5, Insightful)

        by Lobachevsky ( 465666 ) on Friday July 14, 2017 @03:01PM (#54810673)

        That's not realistic. If Microsoft makes an extension, they can't notify Google every time some little old lady buys or sells some shares from her retirement account. Similarly, if your chrome extension is owned by some Ireland holding company, and it is in turn owned by some Cayman holding company, and it is in turn owned by some, etc., there's no way to know or get reports that every entity that holds any stake has to report when it sells. And you don't even have to own the entity to get its profits. Your holding company in China can have a mere contract with your Cayman holding company for assignment of all profits *without* ownership. You can have another contract with some McKinsey consultant that she has administrative access *without* ownership. Many celebrities contract out their twitter and facebook accounts to professional management teams. Are they the owners of the twitter/facebook account? Like most laws, such a policy trying to "fix" the problem will only affect honest, good people, and have ZERO effect on the dishonest people it's trying to deal with since the dishonest bunch are more than happy to create a Russian nesting doll of legal entities and a labyrinth of contracts and profit assignments that would make a veteran CPA cry into a fetal position.

        • Re: (Score:2, Interesting)

          by mysidia ( 191772 )

          If Microsoft makes an extension, they can't notify Google every time some little old lady buys or sells some shares from her retirement account.

          Such immaterial transactions are not a change of beneficial ownership.

          and it is in turn owned by some Cayman holding company, and it is in turn owned by some, etc., there's no way to know or get reports that every entity that holds any stake has to report when it sells.

          It is in fact doable, and many companies already have such terms you have to sign for certai

      • It would probably be sufficient to just nuke existing ratings when changing hands. Should discourage them from *immediately* going fully hostile.
      • And the day after, 0 extensions are developed for Chrome. Or to paraphrase Sterling Archer:

        "Do you want to kill Chrome extension development completely? Because this is how you kill Chrome extension development completely"

      • Now we just need Google to update the Chrome extension policy to require
        The Developer MUST notify Google prior to any sale or acquiring, disposing, or changing beneficial ownership regarding any app software

        Better: Whether a program changes hands or not, impose a requirement that new versions which are "substantially different" from previous versions with respect to feature-removal or the addition of revenue- or marketing-components will require a big bold warning and will not be eligible for any kind of automated updates from prior versions.

        Furthermore, reviews based on previous versions will be segregated from reviews of new versions. In such cases, developers will be encouraged to keep the "old" version a

      • My client and his LLC did not sell, dispose of, or change beneficial ownership of his plugin. They did enter into a an arrangement in which a outside contractor performed some technical work in exchange for profit-sharing guarantee in which the LLC pays them a fraction of net revenue for a specified period.

        Yours Truly,
        The first (but not the last) lawyer to poke a hole in your laughable terms.

        [ Or, snark aside, there's plenty of ways for a plugin writer to change from good-guy to bad-guy without doing anythi

      • Now we just need Google to update the Chrome extension policy...

        No.

        If the software in question ran outside of your browser, you would have immediately seen how silly this whole situation is, and how inadequate your proposed change is. So, ask yourself: what if the new version of a thing had adware, but that this was Python, or Thunar, or mpv or Apache or ...

        We are fundamentally mis-handling how we get browser extensions. Google should have no say and no power in this, unless people just happen to think th

    • I would call it clever, but not smart. Normally after abuse of a system which is left open for reasons of trying to be nice. Will tightly close down to more of the Apple Store Model, where these things are checked more thoroughly and rejected.
       

  • Is there a Chrome extension to track shitty adware Chrome extensions?

    "Users also found other Chrome extensions that were also bought by the same company..."

    Or perhaps there's a way we can simply put in a filter and block this particular company...

  • And this is the 21st century version of this movie...

    I wonder if Robert Redford would do a remake.

    And as a dev, would I do it for a million dollars? Hmmm...
  • by mykepredko ( 40154 ) on Friday July 14, 2017 @02:28PM (#54810419) Homepage

    With the NDA, the adware will be blamed on the original developer (who's name would be on the Chrome App Store). I imagine that this could result in some cursing in various forums as well as hurtful ratings on the App Store. The biggest issue that I can see is when the developer is looking for a job; a simple Google search will identify the developer as scum-sucking vermin (or something worse) - with no way of (legally) explaining the situation to the prospective employer.

    So, I would think that the payment must be enough for the developer to live comfortably for the rest of their lives under a new name.

    • With the NDA, we should probably not mention precisely what type of extension was sold, how the transaction went down, and so forth....

    • If the NDA is really that strict then it likely won't be enforceable if they took him to court, which would defeat the purpose of the NDA to start with since now their shenanigans are public records which the app developer can share with everyone.

      • by barc0001 ( 173002 ) on Friday July 14, 2017 @03:11PM (#54810733)

        > If the NDA is really that strict then it likely won't be enforceable if they took him to court

        And therein lies the problem. Sure it's not enforceable but how many developers - especially ones looking for a job like in OPs example - have a bunch of cash they want to burn through to defend themselves in court over it?

        Even an unenforceable NDA has a chilling effect if you can't pay to negate it in court.

        • by Khyber ( 864651 )

          "Even an unenforceable NDA has a chilling effect if you can't pay to negate it in court."

          Go to court. See that little thing on the filing papers where it says "Waive all fees as I cannot afford attorneys or other filing fees, etc."

          Check that little box, prove you can't afford an attorney to the judge, and get the NDA fucked anyways.

          • Of course he got paid a hefty sum in return for that NDA. Are you suggesting that it is a good strategy to deceive the court? You can bet that any attorneys for the scamware company will be eager to call that to judge's attention.

          • That is one of the stupidest ideas I've heard all year. Your advice is to represent yourself in a contract dispute - which is something 99.999% of the planet is NOT equipped to do. Might as well not waste everyone's time including your own and just get to the penalties phase. That way you can avoid paying court costs.

        • Sure it's not enforceable but how many developers - especially ones looking for a job like in OPs example - have a bunch of cash they want to burn through to defend themselves in court over it?

          Even an unenforceable NDA has a chilling effect if you can't pay to negate it in court.

          This isn't David vs Goliath. The small scam company is even less likely to want to engage in a frivolous lawsuit than the developer wanting to defend it. And given that the story has already come out with exactly the kind of details that you suggest are being sequestered ... well the number is at least 1.

    • with no way of (legally) explaining the situation to the prospective employer.

      You can't NDA yourself in to a position where you are unable to lay correct claim to property. He is likely legally barred from describing the transaction itself, but that's a far step from being barred for saying e.g. "I sold the business to a 3rd party and had nothing to do with the plugin update."

      After all, non-disclosure agreements are non-disclosure agreements. They aren't "lie about ownership" agreements.

      • by mykepredko ( 40154 ) on Friday July 14, 2017 @03:45PM (#54810923) Homepage

        RTFA and look at the Particle extension (https://chrome.google.com/webstore/detail/particle/bpmpggcmojdddlmihdbobccijhkkjpan?hl=en). Still the original author.

        I'm pretty sure the NDA says the author IS barred from saying "I sold the business to a 3rd party and had nothing to do with the plugin update." The individual/company buying the extension want to take advantage of the goodwill the author originally came up with.

        Hopefully, for Aiden, he got enough money to make it worth it.

        • Hopefully, for Aiden, he got enough money to make it worth it.

          And hopefully, for the rest of the world, he gets sued into oblivion or goes to jail for it. If you agree to not disclose the fact that you sold something, that should be an agreement to continue to take legal responsibility for the actions of those you secretly sold to.

        • I'm pretty sure the NDA says the author IS barred from saying "I sold the business to a 3rd party and had nothing to do with the plugin update."

          I'm sure it does say that. However that would make it not legally enforceable. As I said you can't NDA away your ability to lay claim to property. I can't make you sign an NDA that says you're not allowed to tell anyone you no longer own your house after you sell it. There are many things you can try and sign away that legally you can't actually do.

          • barc0001's comment is the best on this thread.

            Maybe they can't, but how many people can afford to defeat their challenge to the legality of of what you signed in court?

        • by ChoGGi ( 522069 )

          Well, he already did exactly that (at least on Github)
          https://github.com/ParticleCor... [github.com]

    • So you are not selling your Apps under an 'artists name'?

  • and break his fingers and his knees, and break his nose with a horse shoe
  • There is a certain amount of irony in bleepingcomputer writing about advertising snuck into products when their articles are continually submitted to Slashdot by anonymous users. Coincidence? Pretty unlikely.
  • Says the website giving me all kinds of shitty ads, since selling out, despite paying years ago for the "Disable Advertising" button.

    I Ghostery'd the fucker years ago, but just checked and - yep - ads over all the fucking Slashdot pages.

  • and it didn't take me long to figure out what the guys offering to 'buy' it were planning. They've been doing this for at least the 4 years I've been writing an extension.
    • by ChoGGi ( 522069 )

      Little? I've a FF extension with about six thousand users, and I regularly get these offers as well.

  • Out of nowhere, any site I went to and clicked anywhere on the page would open popups and other webpages.. I narrowed it down to my video downloader extension. Seems these guys are on a crusade to buy up a lot of them.
  • The original developer signed an NDA and could not talk about it.

    Let us say his computer gets hacked and some unknown thirdparty finds all the dirty laundry. And this hacker blabs all over the media about the deal. Now the original developer is not responsible for the behavior of the hacker right? She/He is also a victim of the hacker. If the original developer is able to show that she/he was not negligent then she/he is off the hook.

    I am not suggesting the original hacker to leak all information and bla

  • by sexconker ( 1179573 ) on Friday July 14, 2017 @04:10PM (#54811059)

    This is why you turn auto update OFF for apps and plugins.
    Let shit notify you that updates are available. But don't let shit automatically apply them.

    • This is just one of the many reasons why you don't use Chrome as your primary browser. Firefox has had Mozilla-signed extensions for year(s) now to protect the non-developers.

  • by johanw ( 1001493 ) on Friday July 14, 2017 @04:11PM (#54811065)

    I suddenly saw that my favorite simple calculator app was bought by some (Austrian I think) company who added some caller ID spyware in it. Fortunately I kept the apk of an older version around. When I reaearched I found out this shit company (Appsbuyout) does this with more apps.

    • This kind of thing is fraud, and it is high time that any developer or company that buys the developer or an app needs to be held to account, criminally (i.e. PMITA prison time) for the practice of selling an app, then updating it later removing features or adding adware/other unwanted shit not in the original app that you bought.

      It is like buying a car, and then when you take it in for a oil change the dealer rips out the seats and replaces them with lawn chairs while selling the seats to a third party. I

  • The links to the Chrome Store mentioned in the summary seem to be dead now.

  • by Balthisar ( 649688 ) on Friday July 14, 2017 @04:52PM (#54811251) Homepage

    Here's a story from 2014 [latimes.com] about the same thing. I got bit by this bogus behavior around this time, too. I can't remember what the extension was, but whatever it was was something very useful that I probably don't miss now that I can't remember it.

  • Been happening for a while now, which is why I went plugin agnostic with only big names not expected to sellout anytime soon.

  • "The original dev says he gave them a high price, but the company agreed to pay right away, but only after the dev signed an non-disclosure agreement preventing him from talking about the company or the transaction. "

    Trouble?

  • Chrome does not allow to disable updates, it doesn't even notify you of extension updates.
    Then it is clear, why people buy addons to buy userbases. You can push whatever code you want to the users. Be glad, they didn't replace your banking site with some phishing website.

Basic is a high level languish. APL is a high level anguish.

Working...