Rendered at 20:15:25 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
drunkendog 21 hours ago [-]
From the author on HN a couple years ago:
> FWIW, and since a few of you probably use it… I own the JSON Formatter extension [0], which I created and open-sourced 12 years ago and have maintained [1] ever since, with 2 million users today. And I solemnly swear that I will never add any code that sends any data anywhere, nor let it fall into the hands of anyone else who would.
I’ve been emailed several tempting cash offers from shady people who presumably want to steal everyone’s data or worse. I sometimes wish I had never put my name on it so I could just take the money without harming my reputation, but I did, so I’m stuck with being honourable. On the plus side I will always be able to say that I never sold out.
You either die a hero, or live long enough to become a villain.
18 hours ago [-]
IncreasePosts 15 hours ago [-]
Or he just got hacked
helsinkiandrew 6 hours ago [-]
From the github readme:
> I am no longer developing JSON Formatter as an open source project. I'm moving to a closed-source, commercial model in order to build a more comprehensive API-browsing tool with premium features.
smrtinsert 2 hours ago [-]
The cost of building your own tool here is practically 0 these days. Why even bother trusting another party at all.
gaythread 44 minutes ago [-]
[flagged]
lofaszvanitt 16 hours ago [-]
That was the sales pitch. And it worked.
Well, all the big tech corps done the same. Nothing to see here. OSS needs proper funding infrastructure. Which all the big players shit on. So, I can't judge him on that. His work, his time.
oefrha 15 hours ago [-]
I’ve made quite popular FOSS dev tools and FOSS gaming companion tools. I don’t nag for donations in any case. Rather ironically, I found that dev tools generated close to zero donations while gaming companion tools generated decent donations (still nowhere close to time I put in if I go by consulting rate, but that wasn’t the goal). Devs just take other devs’ free work for granted. And bitch the most when you try to make money off free work too (not that I ever added or will add ads to any of my hobby work).
lofaszvanitt 13 hours ago [-]
Exactly. The cultists are the loudest and at the same time wonder why Linux UI/UX and its apps is still subpar and why MacOS, where asking money for stuff is normal, has quite decent tooling that make your life much easier.
At the end of the day the small amounts are the real thank you and biggest driver for the work you put into something.
matheusmoreira 5 hours ago [-]
> At the end of the day the small amounts are the real thank you and biggest driver for the work you put into something.
I wouldn't say it's the biggest driver but it did have an unexpectedly big effect.
Once upon a time, I decided to set up sponsorship on my GitHub repositories just because I had nothing to lose by doing so. Went about doing my thing, then someone posted it here and suddenly I had a sponsor.
It's not even close to paying my bills, and looking up the top projects in sponsorship revenue quickly disabused me of any notions of sponsored full time work. It still felt really nice that someone out there cared enough about my work to send me money.
> I sometimes wish I had never put my name on it so I could just take the money without harming my reputation, but I did, so I’m stuck with being honourable.
This distills down to: "I don't want to be honourable." They signaled right from the beginning.
> Give Freely is not spyware/adware or any kind of 'scam'. It's an optional donation appeal that asks you (if you happen to visit a retailer which happens to be a Give Freely partner) to click a button to donate unclaimed affiliate fees, with most of the money going to Code.org or another charity of your choice. I've met the Give Freely team and trust them. It does not collect any PII or browsing activity, and it doesn't overwrite other affiliate/voucher codes so it never costs you anything. If you find the donation popup too intrusive/annoying you can disable it forever in the extension options, or in the donation popup itself.
> Code.org is a good cause that's relevant to a lot of the same people who use this extension regularly, and clicking a Give Freely donate button is a genuinely free and anonymous way to show your support for both, if you want to. If you don't like it you can turn it off, or if it makes you more comfortable you can switch to JSON Formatter Classic, which has no Give Freely code and corresponds with the v0.8 branch in my archived json-formatter GitHub repo. Or try one of the many forks or alternatives available on the store.
Regardless of the intent, it was poorly executed and highlights security gaps inherent in the distribution model of browser extensions.
jimrandomh 22 hours ago [-]
I think the main problem here is the ideology of software updating. Updates represent a tradeoff: On one hand there might be security vulnerabilities that need an update to fix, and developers don't want to receive bug reports or maintain server infrastructure for obsolete versions. On the other hand, the developer might make decisions users don't want, or turn even temporarily (as in a supply chain attack) or permanently (as in selling off control of a browser extension).
In the case of small browser extensions from individual developers, I think the tradeoff is such that you should basically never allow auto-updating. Unfortunately Google runs a Chrome extension marketplace that doesn't work that way, and worse, Google's other business gives them an ideology that doesn't let them recognize that turning into adware is a transgression that should lead to being kicked out of their store. I think that other than a small number of high-visibility long-established extensions, you should basically never install anything from there, and if you want a browser extension you should download its source code and install it locally as an unpacked extension.
(Firefox's extension marketplace is less bad, but tragically, Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself.)
efskap 17 hours ago [-]
>Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself
It's less than ideal but you can 1) load extensions temporarily in about:debugging, 2) turn off xpinstall.signatures.required in nightly or dev edition to install them for good or 3) sign on addons.mozilla.org without publishing to the marketplace.
userbinator 14 hours ago [-]
Or 4) patch the checks out yourself. As they say, "Firefox is open-source for a reason."
ozim 14 hours ago [-]
It might actually be something I would do especially as I could probably vibe code and vibe build it.
Will see if I get time to do so.
babuskov 13 hours ago [-]
If the extension does something that isn't changing, like JSON Formatting, I guess it's best to disable updates right after you install it.
I just did this for all extensions I have in Firefox. Not sure about extensions like uBlock though? Doesn't it fetch new lists of sites to block or something like that? Or is that done separately from updates?
16 hours ago [-]
grishka 16 hours ago [-]
For me, the solution is simple: anything you download and run locally should not auto-update ever, period. Installing an update (or refusing one) should always be a conscious user action. Otherwise it's just a socially-accepted RCE backdoor.
duskdozer 6 hours ago [-]
Even without that, I can't afford to deal with the constant churn of UI changes and feature deprecation
MyUltiDev 4 hours ago [-]
The thing that bothers me most about this story is that the binary on the Chrome Web Store and the public source on the repo have no enforced relationship at all. The store accepts a packaged extension and trusts the developer to say it matches the public code. I tried to reproduce the published build for a few extensions I actually depend on, and in most cases I could not, even when the maintainer was clearly acting in good faith. Firefox AMO at least asks for source and runs a diff against a clean build before they let it through, Chrome does not. If reproducible builds plus a signed attestation tying a store version to a commit are not the right answer here, what would actually catch the silent pivot from benign to malicious before users start getting injected ads?
jkl5xx 1 days ago [-]
Noticed a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa in the chrome inspector today.
Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.
I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.
At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.
Animats 23 hours ago [-]
It's OK to inject ads, but not OK to remove them, under Google's current policies.
I think you may have been confused about the Manifest V3 API changes, which were controversial because they didn't support every feature of the old API. The mainstream ad blockers all wrote new versions for Manifest V3.
teruakohatu 21 hours ago [-]
It is widely known that Manifest V3 reduces extensions ability to perform SoTA ad blocking. It limits heuristic based filtering, under a guise of privacy.
armadyl 14 hours ago [-]
It was more of a security related change. MV3 overall objectively is far better for browser security than MV2. MV2 was essentially giving extensions a full on free RCE pathway. MV3 is what it should’ve been from the start imo.
pfg_ 5 minutes ago [-]
MV3 still allows you to run content scripts, which can inject any javascript into any webpage. From there, you can do anything you want. You can steal passwords, tokens, show popups, redirect, ... etc. Preventing extensions from dynamically modifying network requests doesn't change that.
Legend2440 23 hours ago [-]
Well no, actually. Both halves of that statement are false.
Injecting ads will get you removed from the extension store if caught, while adblockers are advertised on the front page of the store.
Animats 23 hours ago [-]
Google's "Manifest 3" rules, vs. ad blocking, in Ars Technica.[1]
Did the JSON formatter with ads get kicked out of the extension store yet?
Manifest 3 explicitly enables ad blocking through the declarativeNetRequest API. It's trivial to do so, and many blockers exist in the Chrome Web Store.
FergusArgyll 21 hours ago [-]
ublock origin light is featured in the chrome web store.
eviks 17 hours ago [-]
But it isn't as featureful!
Legend2440 23 hours ago [-]
Everybody freaked out about Manifest v3, but I'm running Chrome + uBlock and still not seeing any ads. Seems like a nothingburger to me.
Ygg2 10 hours ago [-]
Water is merely 49C, said the frog. It's not even 100C. I'll stay.
Google really is slow boiling Internet until everyone forgets you can have stuff without ads.
munificent 1 days ago [-]
> I feel like browser extension marketplaces are a failed experiment.
People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
The degree to which they are successful at that and add enough value to overcome the downsides is an open question. But it's clear that in a world where everyone is running hundreds of pieces of software that have auto-update functionality built in and unfettered access to CPU power and the Internet, uncontrolled app stores a honeypot for malicious actors.
jabwd 23 hours ago [-]
This also ignores that mobile phones are now being used as an effective botnet. Just gotta get some poor devs to include your SDK and off you go.
AI companies make use of these botnets quite a bit as well. Why don't we hear more about it? because it is really really really hard to inspect what is actually happening on your phone. This post actually kinda disproves that the closed rent seeking model is better in any way.
josephcsible 24 hours ago [-]
> People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
But browser extension marketplaces aren't a free-for-all; they're exactly like the platform app stores in all the bad ways.
eviks 17 hours ago [-]
> that have auto-update functionality built in
The vendors are the ones who built it in!
anonymous908213 23 hours ago [-]
Whatever value they provide is completely and totally irrelevant compared to giving Microsoft, Google, and Apple the unilateral discretion to end any software developer's career, or any software development business, by locking them out of deploying software with no recourse. Nobody has a problem with optional value-add stores, but all three have or are moving towards having complete control of software distribution on the hardware platforms used by billions of people.
hn_throwaway_99 1 days ago [-]
Thanks for posting this. I think it's such a shitty thing to do. I don't have much of a problem if an original author wanted to do a closed fork of an open source project, but to start injecting ads, without warning, to folks who have already installed your generic JSON formatter and phrase it as "I'm moving to a closed-source, commercial model in order to build a more comprehensive API-browsing tool with premium features." - seriously, f' off.
I agree that browser extension marketplaces are a failed experiment at this point. I used to run security an a fin services company, and our primary app had very strict Content Security Policy rules. We would get tons of notifications to our report-uri endpoint all the time from folks who had installed extensions that were doing lots of nefarious things.
braebo 1 days ago [-]
We could use llms to scan source code and list all of the behavior not listed in the extensions page, like adware and geolocation tracking for example. Then another LLM locally to disable it and warn you with a message explaining the situation.
j1elo 22 hours ago [-]
> went closed source and started injecting adware into checkout pages ... [and] geolocation tracking.
Maybe we should resort to blame and shame publicly this sort of actions. DDoS their servers, fill their inbox with spam, review-bomb anything they do. Public court justice a la 4chan trolling. Selling out is a lawful decision, of course, but there is no reason it shouldn't come with a price tag of becoming publicly hated. In fact, it might help people who are on the verge to stay on the ethical side of things (very ironically).
I'm just kinda joking (but wouldn't hate it if I was rugpulled and the person that did it got such treatment)
pigpop 22 hours ago [-]
Calm down, just spreading the word that the extension is adware and having everyone uninstall it is sufficient to demonstrate that this move was a mistake. Trying to ruin someone's life is going completely overboard. Repercussions should be proportionate, you don't shoot people for stealing a candy bar.
jkl5xx 17 hours ago [-]
Agreed. Times are tough. Open source is under-appreciated. People are going to crack and slip up like this. We’re only human.
fg137 1 days ago [-]
How did you "notice" a suspicious element in the inspector? Do you routinely look at the DOM?
jkl5xx 23 hours ago [-]
I did webdev for a long time, so yeah. If you want the story, I was looking into guix on asahi and ended up on https://www.asahi-guix.org/ which didn’t load anything, so I checked the page source and noticed the element.
fg137 21 hours ago [-]
Thanks. Not sure what's with the downvotes. That was a genuine question.
(I used to do a lot of web development and probably know dev tools better than most people here. However I almost never look at the DOM of a webpage I don't own)
hn_throwaway_99 19 hours ago [-]
Text doesn't transmit tone well. FWIW I interpreted your comment as having somewhat accusatory intent, especially the scare-quoted "notice", for implying the author didn't just happen along his discovery and that he wasn't being fully truthful in his explanation of how he discovered this info.
leptons 17 hours ago [-]
I frequently look at the DOM of webpages, so that I can bend them to my will.
There's always some things about practically all websites are frustrating. I fix that with custom CSS and/or Javascript that runs when I load specific sites that I use frequently. I can turn a cluttered site into a streamlined site for my needs. I also block a lot of ads, popups and other annoyances this way.
duskdozer 6 hours ago [-]
Oh there's another. The web is so miserable nowadays, I waste so much time on this. You don't happen to open source your stuff do you?
madeofpalk 23 hours ago [-]
I do. Then again, I’m a web developer so looking at the DOM is my day job.
dgb23 14 hours ago [-]
I just imagined that this was an exclusive statement.
„What do you do all day?“
„Looking at the DOM. Currently there are too many divs, but the situation seems fine.“
falcor84 7 hours ago [-]
I was sure you're going to take it in the direction of the relevant xkcd [0], so was taken aback that you didn't end it with something like "but today the pattern of divs is all wrong".
Reading other comments, I noticed that this was a legitimate question.
Dylan16807 19 hours ago [-]
Are you saying that [You don't?] is cross-examining/swipe, but [How did you "notice"] isn't?
I wouldn't highly object to either but if I had to pick one I'd definitely clear the former.
IncreasePosts 1 days ago [-]
Agreed with that. My main use of AI is just writing ultra minimal apps that are specifically tailored to my needs, instead of using a larger app(or plugin or whatever) that is controlled by a third party and is usually much more than I need, and doesn't exactly fit my needs, and requires ad hoc configuration.
I'm wondering when/if this is going to bite me in the butt
computerfriend 1 days ago [-]
Interesting that the author, Callum Locke, seems to be a real person with a real reputation to damage. Previously this would have been a trust signal to me, I figured real developers would be less likely to go rogue given the consequences.
extesy 23 hours ago [-]
Depends on the personal situation. An extension with 2 million users can generate a very meaningful revenue. My extension has only 300k users, but offers that I received over years [0] would have been significant in some lower-income country.
For example, your income for the 10k users will be ~ $ 1000 per month, users 20k ~ $ 2000 per month… 100к users ~10 000 $, and so on.
ARPDAU (Average Revenue Per Daily Active User) basis - In average we have $0.007-0.011/user, US is $0.018.
onion2k 18 hours ago [-]
Surely it's reasonable to assume that a company doing some dubious 'marketing intelligence' scraping of people's data from a Chrome plugin is going to both inflate the numbers they put in offers and try to scam their way out of paying if you actually accept. I wouldn't consider them real offers. They're marketing. The real world payments, if you get them, would be lower.
ayewo 23 hours ago [-]
The tempation is quite strong, especially for popular extensions
Here's what it can look like to an author of a popular extension:
Browser extension maintainers routinely get contacted by more or less shady directions. This is likely a case of maintainer selling out after getting a good offer.
username223 20 hours ago [-]
Well, Callum Locke has certainly torched his reputation. Not “spreading Santorum” level… yet.
wnevets 18 hours ago [-]
Google spent all that time pushing Manifest V3 but does little to prevent this, and in some cases even encourages it. [1]
> To provide a more tangible example, Chrome Web Store currently has Blaze VPN, Safum VPN and Snap VPN extensions carry the “Featured” badge. These extensions (along with Ishaan VPN which has barely any users) belong to the PDF Toolbox cluster which produced malicious extensions in the past. A cursory code inspection reveals that all four are identical and in fact clones of Nucleus VPN which was removed from Chrome Web Store in 2021. And they also don’t even work, no connections succeed. The extension not working is something users of Nucleus VPN complained about already, a fact that the extension compensated with fake reviews.
The same thing happened to ModHeader https://chromewebstore.google.com/detail/modheader-modify-ht... -- they started adding ads to every google search results page I loaded, linking to their own ad network. Took me weeks to figure out what was going on. I uninstalled it immediately and sent a report to Google, but the extension is still up and is still getting 1 star reviews.
Extensions which ask for all URLs should really be subjected to more thorough reviews.
andrei_says_ 2 hours ago [-]
I wonder if there’s a central repository of now exploited chrome extensions?
The chrome team does not seem to see security as a high enough priority.
beej71 15 hours ago [-]
I use FF, but it seems like something Claude should be able to whip up... There we go. Took two attempts, but I basically told it to make something like FF's JSON formatter, and it did.
I won't share it because I'm sure it leaves much to be desired (and you can recreate it in 2 minutes), but it makes me wonder how much room there is for rugpulls like this when people can just replace the tech with something that doesn't have adrot.
captn3m0 1 days ago [-]
The JSONView extension on Firefox was targeted a while ago. (2017?)
I only found out because Mozilla forced an uninstall with a warning and then I had to go down Bugzilla to find the impact (it leaked browser visit URLs).
jansommer 1 days ago [-]
Guy talks about switching to the "Classic" version if
> you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.
Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.
panstromek 1 days ago [-]
Depends on how many JSON tokens you need to format. I recommend getting JSON ForMAX+ with 200k tokens and 100k sign in bonus.
brianmcnulty 24 hours ago [-]
I heard that JWTs are 5x the price of JSON tokens but only 3x if you have JSON ForULTRA+ (new) (for work or school).
panstromek 11 hours ago [-]
That makes sense, because JWT is base64 encoded, and those base64 tokens are bigger and more expensive. JWT has 3 parts, so it's 3x more expensive, obviously.
smallmancontrov 23 hours ago [-]
The more you buy, the more you save!
hamdingers 23 hours ago [-]
Legally speaking that's for entertainment purposes only
cyanydeez 22 hours ago [-]
You have to add the final "]" or "}" yourself but json strings are free!
cookiengineer 21 hours ago [-]
I just bought 30.000 JWT
HODL
henry2023 22 hours ago [-]
Fortunately, Microsoft C# Copilot 2 Pro is already bundled with JSON forULTRA+ for free. (Not to be confused with Microsoft C# Copilot Pro)
SV_BubbleTime 6 minutes ago [-]
Are you talking about the Copilot 2 Legacy But Also Preview version? Because my TPM module’s circuit board orientation doesn’t support that yet.
endofreach 23 hours ago [-]
Lol. I mean what the hell is this. I have this weird feeling this guy got tricked by an LLM into thinking this move is smart... "what you've built is not just a json formatter, it's the next big...".
I mean good luck to that guy. Everyone should have a shot at turning his free work into something worth it. I think i've been using that extension as well. But yeah, i never cared enough to know if it was this one. But i do hope there are others who did & he can surprise me and turn this user base into customers of a commercial product. If he pulls that of, i'd be truly impressed.
arikrahman 23 hours ago [-]
I what feature can even be added to the product that won't be immediately replicated in a fork?
mirekrusin 22 hours ago [-]
Nobody knows what but everybody knows they won't be replicated.
Chat with your json?
Facebook but for jsons?
Send json to blockchain?
It's so bad that it's exciting, can't wait for an update.
caseyohara 20 hours ago [-]
It will certainly involve AI somehow.
bicx 20 hours ago [-]
Going to have a chat with our JSON Engineers to see what our best move might be. It might be worth the adware if we can keep JSONing.
voodoo_child 23 hours ago [-]
Big-JSON is coming for us
stefan_ 7 hours ago [-]
It really is dramatic. The author wrote a very moving paragraph on his hard life as the maintainer of the JSON formatting experience. Someone up top pitched in on the dire state of the "OSS ecosystem".
I just hope the authors of the "Go Back With Backspace" extension (now in version 3.0) I critically rely on ever since Chrome sold out will not betray me. It needs access to all sites, which as someone above mentioned is because of the great design of the new Extension Manifest API thingy.
pfg_ 21 hours ago [-]
Firefox has this ability by default and I find it very useful. And it will never get sold to some random person to be replaced with adware.
jmuguy 1 days ago [-]
I actively try to get coworkers to audit, remove and work without browser extensions. Google and Firefox clearly do not care to spend even a modicum of effort to police their marketplaces. There's only a few I would trust and assume all others to be malware now or at some point in the future.
charlieyu1 8 hours ago [-]
I removed most of them now, but it is a pain to work without a dark reader or a Google results remover.
pnw 19 hours ago [-]
They responded on the Chrome store.
Hey William, thanks for flagging this! We were experimenting with analytics to help us identify crashes and improve stability. We've rolled this back in v2.1.17, which is now live and being rolled out. Going forward, we'll ensure any analytics collection is clearly disclosed. Thanks again!
I was approached twice to add « a search and tracking script » to my 35k+ user-based extension.
Now I know what would have happened if I had accepted.
danelliot 20 hours ago [-]
[dead]
ernsheong 16 hours ago [-]
A decent JSON formatter should really ship natively in the browser as well.
hmry 15 hours ago [-]
Agreed. Firefox ships with one, and it's very useful.
1f60c 9 hours ago [-]
Is this the extension that Arc installs when you open DevTools? Not great...
ggregoire 18 hours ago [-]
It's quite remarkable that a chrome extension can just update overnight and start injecting adware (or worse) and not a single warning from chrome. I shouldn't have to read hackernews to find out.
donatj 17 hours ago [-]
The number of offer emails I have gotten for my Chrome extension is wild, and I've only got a little over 100 installs. I'm honestly surprised this is not more common.
hybirdss 20 hours ago [-]
just went through all my github actions and pinned them to commit SHAs after reading this. same problem — if someone pushes to @main your CI blindly runs it.
auto-update anything is basically handing someone a key to your house and hoping they stay nice forever
eviks 17 hours ago [-]
Fyi you can add zizmor that warns about things like this and add a repo config that futures shas so that a mistake can't happen in the future (but not sure if you can have the setting globally)
eviks 17 hours ago [-]
If only we had any competent gardeners in all these app gardens...
binaryturtle 1 days ago [-]
I guess you really need to unpack each and every extensions before installation and carefully inspect the code manually to see if it only would be doing what the extensions is advertising.
Darn…
and I thought that the JSLibCache extension was forcing every site into UTF-8 mode (even those that need to run with a legacy codepage) was a critical issue. A problem I encountered yesterday… took me a while to figure out too.
duskdozer 6 hours ago [-]
A lot of extensions are simple enough you can write your own *monkey user js
vadansky 23 hours ago [-]
Or just use it as an example to vibecode your own. Extension laundering through vibecoding.
KaiLetov 15 hours ago [-]
The extensions marketplace is designed like a trust-based system where trust has a known expiration date. We keep acting surprised when it expires.
jongjong 6 hours ago [-]
I feel like this is a trend. A few months ago, my phone was hacked because I was using a free QR code scanner app which I'd been using for like 5 years without issue.
It was an effective hack. I'd wasted 3+ hours jumping through hoops to get access to some basic service and was running into one hurdle after another... Then I got to a point that I wanted to scan a QR code from an old screenshot and so I opened my trusty QR code app to navigate to the website but when I opened the app; it wouldn't let me scan as usual; instead, there was a legit-looking update button on the page saying I needed to update the app; it was shown as part of the app interface itself (not some side ad). After 3 hours of running into a deep recursive rabbit hole with one hurdle after another, I was at my wit's end... I needed to read that QR code NOW! This was one hurdle too many which I didn't have the energy to even think about! I was too busy thinking about the other 4 layers of nested issues which I was trying to unwind myself out of! And so my muscle memory kicked in and hit the update button! Then BAM! Even before my system 2 thinking kicked in (to remind me that updates should be done through the app store), within a second or two, a message flashed on the screen and I knew my phone had been hacked. I noticed later that I received a whole bunch of extortion emails.
Thankfully, I never put anything sensitive on my phone. I treat it as a public space. I wasn't logged into any session on any app at the time. I immediately did a factory reset of my phone and changed all my passwords just in case. But damn, that was an effective hack! I trusted this app for 5 years and it betrayed me in a fraction of a second! This was surprising for me as I'd never been hacked before. It showed me how even someone who fully understands the tech can be hacked if caught at the right time in the right situation.
tadfisher 1 days ago [-]
WebExtension permissions are fucking broken if the set of permissions necessary to reformat and style JSON snippets is sufficient to inject network-capable Javascript code into any page.
If basically any worthwhile extension can be silently updated to inject <script> tags anywhere, then it's time to call this a failed experiment and move on. Bake UBlock and password-management APIs into the browser. Stop the madness.
strictnein 24 hours ago [-]
Been researching extensions for a while now at the day job and I'm preparing some disclosures to the major browser vendors.
The amount of absolute clusterfuckery in browser extensions is endless. One of the biggest issues is with how extensions define their permissions and capabilities in their manfiest.json files. I've reviewed thousands of these now, and probably only 5-10% of extensions actually get it right. There are just so many confusing and overlapping permissions, capabilities, etc.
It is a failed experiment, but I don't think Google can just shut it off, because of their market dominance. They'd be disconnecting some of their competitors from their users. They need to move to an updated manifest spec that is (more) secure by default, has fewer footguns, etc.
madeofpalk 21 hours ago [-]
> They need to move to an updated manifest spec that is (more) secure by default, has fewer footguns, etc.
They tried to do this and people got very upset at them trying to kill adblockers.
maxloh 23 hours ago [-]
For context, the latest version of extension spec (Manifest V3) is just 1.5 years old. It isn't something old or legacy.
Groxx 1 days ago [-]
- click install
- "It can: Read and change all your data on all websites"
It's not alarming sounding enough for what that implies, but "it can trigger requests under its control" seems fairly obvious from that. The permission it uses to inject ads can be used to inject ads (or block them).
Why a JSON formatter needs any permission at all is something anyone installing it should be asking themselves.
---
This is not meant to imply that I think the permission model of extensions in chrome or firefox is good, clearly it is not. But it's significantly better and more fine-grained than every single other widely-used permissions system in consumer apps. Ideally there should be more carve-outs for safe niches like a "read a JSON file, rewrite it into something that does not need javascript or external resources" could use, but also that kind of thing is likely to be nigh impossible to make "complete".
tadfisher 23 hours ago [-]
"Read and change data on all websites" does not, to me, imply "make network requests on the user's behalf". Yes, I can put on my developer hat and surmise that, under the hood, the extension's injected payload can make network requests by adding <script> elements to the DOM. No user will ever understand this, no matter how much you try to educate them through the permission prompt.
This ends up being significantly worse than any other widely-used permissions system, because injected scripts act as the website, not the extension. If you've already granted location permission to a website, then it is effectively granted to the extension. There is no other ecosystem that works like this.
And to do basically anything worthwhile, including certain types of content blocking, you need this God permission that essentially disables the WebExtension permissions system. This should never have been greenlit in the first place.
Groxx 21 hours ago [-]
>"Read and change data on all websites" does not, to me, imply "make network requests on the user's behalf"
Yeah, I don't like this phrasing either, I think it downplays the risk to a dangerous degree (which is "it can see and do literally anything on any site you visit", which is GIGANTIC). It's one of the worst permissions to request, but it doesn't look like it.
But other permissions systems don't have per-site controls, or the ability to turn things off until activated, or isolate everything, or... the list is huge, others generally have permissions like "can access this folder [and others we haven't told you] [and folders you give it access to, which you can't revoke later https://news.ycombinator.com/item?id=47719602] [and only for applications which opt into this, normal ones can do anything anywhere any time]...." which is much worse.
maxloh 23 hours ago [-]
To install a JSON formatter, you need to grant the following access:
1. Access to the page DOM to read the raw JSON content.
2. Permission to modify the DOM to display the formatted results.
Unfortunately, these requirements necessitate broad host permissions, which allow an extension to inject ads or track user behaviors. There is no alternative way to define a strict security boundary that allows these specific permissions while preventing abuses.
tadfisher 23 hours ago [-]
> There is no alternative way to define a strict security boundary that allows these specific permissions while preventing abuses.
Maybe you're right, and there isn't. Does it not follow that we should probably require extensive review and open-source reproducible builds before allowing any such extension on the browser extension stores?
what 22 hours ago [-]
I’m pretty sure you can setup without broad host permissions, you just probably wouldn’t like it. You’d have to click a button to trigger the behavior, which I think requires you to click another button to approve access. Or configure the extension to allow access to specific domains after install, which will also have a permission prompt.
michaelt 1 days ago [-]
Given that the worlds biggest browser is made by the worlds biggest ad company, the chances it’ll ever bake in a working ad blocker are approximately zero.
SquareWheel 23 hours ago [-]
Chromium does include an ad blocker for "intrusive ads". ie. Those using many resources, flashing, auto-playing sounds, or otherwise behaving badly.
It is closed source because they think people want to buy this?
Isn't this just built in to Firefox and Chrome now?
I mean chrome already lets you preview API calls with pretty print.
I'm confused why this extension still exists I guess, and definitely too spooked out to even bother looking.
gsibble 1 days ago [-]
Is it me or is this happening more and more frequently?
iza 24 hours ago [-]
Maybe but it's always been a problem. I've been receiving offers to monetize or sell my extension for over a decade.
jlarocco 22 hours ago [-]
It seems like it. I just stopped using a "windowed full screen" extension that did this.
ddtaylor 8 hours ago [-]
One more reason to use Linux packages and tools in the repository.
benatkin 16 hours ago [-]
This should be hurting the reputation of Chrome Web Store more than it is hurting the reputation of Open Source browser extensions. It's impossible to keep tabs on all Open Source developers, so a highly trusted platform like Fedora or installing and updating things one by one is needed.
It's far from ideal, but I've been meaning to start using one personal meta-extension so I can have ctrl-d on Grok delete the next character, do my own custom readability overlays, and other stuff that comes to mind. It would have a clear association between sites and customizations, and possibly sandboxed code (e. g. WebAssembly).
lapcat 9 hours ago [-]
> This should be hurting the reputation of Chrome Web Store more than it is hurting the reputation of Open Source browser extensions.
Does the Chrome Web Store have any reputation left at this point? I don't know how much lower its reputation can go.
> FWIW, and since a few of you probably use it… I own the JSON Formatter extension [0], which I created and open-sourced 12 years ago and have maintained [1] ever since, with 2 million users today. And I solemnly swear that I will never add any code that sends any data anywhere, nor let it fall into the hands of anyone else who would. I’ve been emailed several tempting cash offers from shady people who presumably want to steal everyone’s data or worse. I sometimes wish I had never put my name on it so I could just take the money without harming my reputation, but I did, so I’m stuck with being honourable. On the plus side I will always be able to say that I never sold out.
https://news.ycombinator.com/item?id=37067908
> I am no longer developing JSON Formatter as an open source project. I'm moving to a closed-source, commercial model in order to build a more comprehensive API-browsing tool with premium features.
Well, all the big tech corps done the same. Nothing to see here. OSS needs proper funding infrastructure. Which all the big players shit on. So, I can't judge him on that. His work, his time.
At the end of the day the small amounts are the real thank you and biggest driver for the work you put into something.
I wouldn't say it's the biggest driver but it did have an unexpectedly big effect.
Once upon a time, I decided to set up sponsorship on my GitHub repositories just because I had nothing to lose by doing so. Went about doing my thing, then someone posted it here and suddenly I had a sponsor.
It's not even close to paying my bills, and looking up the top projects in sponsorship revenue quickly disabused me of any notions of sponsored full time work. It still felt really nice that someone out there cared enough about my work to send me money.
This distills down to: "I don't want to be honourable." They signaled right from the beginning.
https://chromewebstore.google.com/review-reply/b4a787df-64e5...
> Give Freely is not spyware/adware or any kind of 'scam'. It's an optional donation appeal that asks you (if you happen to visit a retailer which happens to be a Give Freely partner) to click a button to donate unclaimed affiliate fees, with most of the money going to Code.org or another charity of your choice. I've met the Give Freely team and trust them. It does not collect any PII or browsing activity, and it doesn't overwrite other affiliate/voucher codes so it never costs you anything. If you find the donation popup too intrusive/annoying you can disable it forever in the extension options, or in the donation popup itself.
> Code.org is a good cause that's relevant to a lot of the same people who use this extension regularly, and clicking a Give Freely donate button is a genuinely free and anonymous way to show your support for both, if you want to. If you don't like it you can turn it off, or if it makes you more comfortable you can switch to JSON Formatter Classic, which has no Give Freely code and corresponds with the v0.8 branch in my archived json-formatter GitHub repo. Or try one of the many forks or alternatives available on the store.
> JSON Formatter Classic: https://chromewebstore.google.com/detail/json-formatter-clas...
In the case of small browser extensions from individual developers, I think the tradeoff is such that you should basically never allow auto-updating. Unfortunately Google runs a Chrome extension marketplace that doesn't work that way, and worse, Google's other business gives them an ideology that doesn't let them recognize that turning into adware is a transgression that should lead to being kicked out of their store. I think that other than a small number of high-visibility long-established extensions, you should basically never install anything from there, and if you want a browser extension you should download its source code and install it locally as an unpacked extension.
(Firefox's extension marketplace is less bad, but tragically, Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself.)
It's less than ideal but you can 1) load extensions temporarily in about:debugging, 2) turn off xpinstall.signatures.required in nightly or dev edition to install them for good or 3) sign on addons.mozilla.org without publishing to the marketplace.
Will see if I get time to do so.
I just did this for all extensions I have in Firefox. Not sure about extensions like uBlock though? Doesn't it fetch new lists of sites to block or something like that? Or is that done separately from updates?
Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.
I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.
At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.
They have an API basically dedicated to this: https://developer.chrome.com/docs/extensions/reference/api/d...
I think you may have been confused about the Manifest V3 API changes, which were controversial because they didn't support every feature of the old API. The mainstream ad blockers all wrote new versions for Manifest V3.
Injecting ads will get you removed from the extension store if caught, while adblockers are advertised on the front page of the store.
Did the JSON formatter with ads get kicked out of the extension store yet?
[1] https://arstechnica.com/gadgets/2024/08/chromes-manifest-v3-...
Google really is slow boiling Internet until everyone forgets you can have stuff without ads.
People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
The degree to which they are successful at that and add enough value to overcome the downsides is an open question. But it's clear that in a world where everyone is running hundreds of pieces of software that have auto-update functionality built in and unfettered access to CPU power and the Internet, uncontrolled app stores a honeypot for malicious actors.
AI companies make use of these botnets quite a bit as well. Why don't we hear more about it? because it is really really really hard to inspect what is actually happening on your phone. This post actually kinda disproves that the closed rent seeking model is better in any way.
But browser extension marketplaces aren't a free-for-all; they're exactly like the platform app stores in all the bad ways.
The vendors are the ones who built it in!
I agree that browser extension marketplaces are a failed experiment at this point. I used to run security an a fin services company, and our primary app had very strict Content Security Policy rules. We would get tons of notifications to our report-uri endpoint all the time from folks who had installed extensions that were doing lots of nefarious things.
Maybe we should resort to blame and shame publicly this sort of actions. DDoS their servers, fill their inbox with spam, review-bomb anything they do. Public court justice a la 4chan trolling. Selling out is a lawful decision, of course, but there is no reason it shouldn't come with a price tag of becoming publicly hated. In fact, it might help people who are on the verge to stay on the ethical side of things (very ironically).
I'm just kinda joking (but wouldn't hate it if I was rugpulled and the person that did it got such treatment)
(I used to do a lot of web development and probably know dev tools better than most people here. However I almost never look at the DOM of a webpage I don't own)
There's always some things about practically all websites are frustrating. I fix that with custom CSS and/or Javascript that runs when I load specific sites that I use frequently. I can turn a cluttered site into a streamlined site for my needs. I also block a lot of ads, popups and other annoyances this way.
„What do you do all day?“
„Looking at the DOM. Currently there are too many divs, but the situation seems fine.“
[0] https://xkcd.com/722/
You don't?
https://news.ycombinator.com/newsguidelines.html
Reading other comments, I noticed that this was a legitimate question.
I wouldn't highly object to either but if I had to pick one I'd definitely clear the former.
I'm wondering when/if this is going to bite me in the butt
[0] https://github.com/extesy/hoverzoom/discussions/670
Here's what it can look like to an author of a popular extension:
https://github.com/extesy/hoverzoom/discussions/670
> To provide a more tangible example, Chrome Web Store currently has Blaze VPN, Safum VPN and Snap VPN extensions carry the “Featured” badge. These extensions (along with Ishaan VPN which has barely any users) belong to the PDF Toolbox cluster which produced malicious extensions in the past. A cursory code inspection reveals that all four are identical and in fact clones of Nucleus VPN which was removed from Chrome Web Store in 2021. And they also don’t even work, no connections succeed. The extension not working is something users of Nucleus VPN complained about already, a fact that the extension compensated with fake reviews.
[1] https://palant.info/2025/01/13/chrome-web-store-is-a-mess/
https://github.com/wesbos/JSON-Alexander
https://github.com/callumlocke/json-formatter/commit/caa213d...
Someone on Twitter noticed it pretty quickly, considering:
https://twitter.com/devinsays/status/2012195612586914143?mx=...
Extensions which ask for all URLs should really be subjected to more thorough reviews.
The chrome team does not seem to see security as a high enough priority.
I won't share it because I'm sure it leaves much to be desired (and you can recreate it in 2 minutes), but it makes me wonder how much room there is for rugpulls like this when people can just replace the tech with something that doesn't have adrot.
I only found out because Mozilla forced an uninstall with a warning and then I had to go down Bugzilla to find the impact (it leaked browser visit URLs).
> you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.
Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.
HODL
I mean good luck to that guy. Everyone should have a shot at turning his free work into something worth it. I think i've been using that extension as well. But yeah, i never cared enough to know if it was this one. But i do hope there are others who did & he can surprise me and turn this user base into customers of a commercial product. If he pulls that of, i'd be truly impressed.
Chat with your json?
Facebook but for jsons?
Send json to blockchain?
It's so bad that it's exciting, can't wait for an update.
I just hope the authors of the "Go Back With Backspace" extension (now in version 3.0) I critically rely on ever since Chrome sold out will not betray me. It needs access to all sites, which as someone above mentioned is because of the great design of the new Extension Manifest API thingy.
Hey William, thanks for flagging this! We were experimenting with analytics to help us identify crashes and improve stability. We've rolled this back in v2.1.17, which is now live and being rolled out. Going forward, we'll ensure any analytics collection is clearly disclosed. Thanks again!
https://chromewebstore.google.com/detail/json-formatter/gpmo...
Quarantined - PUP.Optional.Hijacker. C:\USERS*\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BCJINDCCCAAGFPAPJJMAFAPMMGKKHGOA
wondered what the extension was... JSON Formatter
Now I know what would have happened if I had accepted.
Darn…
and I thought that the JSLibCache extension was forcing every site into UTF-8 mode (even those that need to run with a legacy codepage) was a critical issue. A problem I encountered yesterday… took me a while to figure out too.
It was an effective hack. I'd wasted 3+ hours jumping through hoops to get access to some basic service and was running into one hurdle after another... Then I got to a point that I wanted to scan a QR code from an old screenshot and so I opened my trusty QR code app to navigate to the website but when I opened the app; it wouldn't let me scan as usual; instead, there was a legit-looking update button on the page saying I needed to update the app; it was shown as part of the app interface itself (not some side ad). After 3 hours of running into a deep recursive rabbit hole with one hurdle after another, I was at my wit's end... I needed to read that QR code NOW! This was one hurdle too many which I didn't have the energy to even think about! I was too busy thinking about the other 4 layers of nested issues which I was trying to unwind myself out of! And so my muscle memory kicked in and hit the update button! Then BAM! Even before my system 2 thinking kicked in (to remind me that updates should be done through the app store), within a second or two, a message flashed on the screen and I knew my phone had been hacked. I noticed later that I received a whole bunch of extortion emails.
Thankfully, I never put anything sensitive on my phone. I treat it as a public space. I wasn't logged into any session on any app at the time. I immediately did a factory reset of my phone and changed all my passwords just in case. But damn, that was an effective hack! I trusted this app for 5 years and it betrayed me in a fraction of a second! This was surprising for me as I'd never been hacked before. It showed me how even someone who fully understands the tech can be hacked if caught at the right time in the right situation.
If basically any worthwhile extension can be silently updated to inject <script> tags anywhere, then it's time to call this a failed experiment and move on. Bake UBlock and password-management APIs into the browser. Stop the madness.
The amount of absolute clusterfuckery in browser extensions is endless. One of the biggest issues is with how extensions define their permissions and capabilities in their manfiest.json files. I've reviewed thousands of these now, and probably only 5-10% of extensions actually get it right. There are just so many confusing and overlapping permissions, capabilities, etc.
It is a failed experiment, but I don't think Google can just shut it off, because of their market dominance. They'd be disconnecting some of their competitors from their users. They need to move to an updated manifest spec that is (more) secure by default, has fewer footguns, etc.
They tried to do this and people got very upset at them trying to kill adblockers.
- "It can: Read and change all your data on all websites"
It's not alarming sounding enough for what that implies, but "it can trigger requests under its control" seems fairly obvious from that. The permission it uses to inject ads can be used to inject ads (or block them).
Why a JSON formatter needs any permission at all is something anyone installing it should be asking themselves.
---
This is not meant to imply that I think the permission model of extensions in chrome or firefox is good, clearly it is not. But it's significantly better and more fine-grained than every single other widely-used permissions system in consumer apps. Ideally there should be more carve-outs for safe niches like a "read a JSON file, rewrite it into something that does not need javascript or external resources" could use, but also that kind of thing is likely to be nigh impossible to make "complete".
This ends up being significantly worse than any other widely-used permissions system, because injected scripts act as the website, not the extension. If you've already granted location permission to a website, then it is effectively granted to the extension. There is no other ecosystem that works like this.
And to do basically anything worthwhile, including certain types of content blocking, you need this God permission that essentially disables the WebExtension permissions system. This should never have been greenlit in the first place.
Yeah, I don't like this phrasing either, I think it downplays the risk to a dangerous degree (which is "it can see and do literally anything on any site you visit", which is GIGANTIC). It's one of the worst permissions to request, but it doesn't look like it.
But other permissions systems don't have per-site controls, or the ability to turn things off until activated, or isolate everything, or... the list is huge, others generally have permissions like "can access this folder [and others we haven't told you] [and folders you give it access to, which you can't revoke later https://news.ycombinator.com/item?id=47719602] [and only for applications which opt into this, normal ones can do anything anywhere any time]...." which is much worse.
1. Access to the page DOM to read the raw JSON content.
2. Permission to modify the DOM to display the formatted results.
Unfortunately, these requirements necessitate broad host permissions, which allow an extension to inject ads or track user behaviors. There is no alternative way to define a strict security boundary that allows these specific permissions while preventing abuses.
Maybe you're right, and there isn't. Does it not follow that we should probably require extensive review and open-source reproducible builds before allowing any such extension on the browser extension stores?
https://support.google.com/chrome/answer/7632919
I'm confused why this extension still exists I guess, and definitely too spooked out to even bother looking.
It's far from ideal, but I've been meaning to start using one personal meta-extension so I can have ctrl-d on Grok delete the next character, do my own custom readability overlays, and other stuff that comes to mind. It would have a clear association between sites and customizations, and possibly sandboxed code (e. g. WebAssembly).
Does the Chrome Web Store have any reputation left at this point? I don't know how much lower its reputation can go.