How hucksters are manipulating Google to promote shady Chrome extensions

1/12/2025 at 2:37:48 PM

I have two Chrome extensions in the store. They're not very popular and are really just features I wanted for my own use. I think I have less than 100 users total.

At least once a week I get emails from people

- offering money to add their "tracking" code

- wanting to purchased the extension outright

What they clearly want is access to my modest install base to push questionable code onto. I certainly am not going for these offers, but I could certainly see someone less financially secure giving in to it, and that scares me a little.

The idea of paid malware insertion in smaller packages is kind of troubling in general. How often just in life in general do we just trust opaque binaries to be clean.

by donatj

1/12/2025 at 5:08:09 PM

> I think I have less than 100 users total.

> At least once a week I get emails from people

My extension (https://chromewebstore.google.com/detail/privornot/fnpgifcbm...) currently says it has ~915 users. Usually the offers I get are in the $100-$200 range, but it's maybe once every 1-2 months I get an offer.

I'm guessing they go by keywords + user count (or something, maybe "last updated" too?) , as my extension is very country and context-specific, and I'm not getting that many offers (thankfully). More people reaching out saying thanks, which are better emails to receive anyways and some asking for the source code, which I'm happy to provide :)

by diggan

1/13/2025 at 5:14:08 AM

They stopped emailing me eventually when I started responding with silly replies, these are some of the emails I got about Control Panel for Twitter (~220,000 users on Chrome):

https://github.com/insin/control-panel-for-twitter/issues/38...

Some of them work in the open, I've had emails from the people behind this scam:

https://palant.info/2024/10/01/lies-damned-lies-and-impact-h...

by insin

1/13/2025 at 5:44:24 AM

Oh man, I loved your work.

by QuinnyPig

1/12/2025 at 5:34:11 PM

That sort of thing is part of my usual spiel against automatic updates in most scenarios (and, when that's hard, pushing back on the reasons why it's hard rather than adding automatic updates):

- What security problems are we trying to prevent with automatic updates? The worst-case would be allowing an untrusted third-party to run arbitrary code on your computer.

- How did we fix it? We allow a different untrusted third-party to run arbitrary code on our computers.

Toss in a healthy dose of developers using "security updates" to enshittify a product, or even just screwing up releases from time to time and introducing more attack vectors than they fixed, and automatic updates don't look very attractive.

by hansvm

1/12/2025 at 2:53:52 PM

Did they seem personalized or do they just mass-mail every developer they can find? 100 users seem very little to go through the trouble of acquiring an extension and then push bad code.

Did they ever give you an idea of what they are ready to pay?

by luckylion

1/12/2025 at 3:07:19 PM

They seem pretty generic, like spray and pray. I am sure they just scrape all the developers details from the Chrome Store and bug them all.

I don't seem to have saved any of them but I do recall one offering me $6,400 for my extension because there was a small voice in the back of my head whispering "that's a lot of money..."

Most of the ones wanting me to install code offer ongoing payments.

by donatj

1/12/2025 at 4:53:30 PM

Thanks, that sounds like a lot of money. I assume they'd start negotiating once you respond and they look into it, I can't see them paying $6-10 per user. At that point, it has to be cheaper to just build extensions and let them gather a few users, right?

Wild market though, and I applaud developers who reject the offers. I'm sure that small voice becomes a lot louder if you built an extension that now has 100k users.

by luckylion

1/12/2025 at 3:12:35 PM

Did you see what the tracking code does? If possible, it'll be useful to get access to this.

by potamic

1/12/2025 at 6:51:20 PM

I am having trouble finding it now but I used to use a Picture in Picture extension that just made the controls more apparent (I use Brave and you have to do a menu dive for it by default). The extension had been featured by google when I added it.

At some point they signed on with a monetization scheme that:

- Redirected you through its sales attribution url any time you accessed a store (which bounced you to the site's front page instead of your search result)

- Rearranged your search results to put its affiliated stores at the top

- Marketed itself mainly to retailers as an ad network with no mention of browser extensions anywhere.

If it werent for the annoying redirect I probably would have never noticed that something was wrong.

by jabroni_salad

1/12/2025 at 9:28:16 PM

...Was it Honey?

by ClassyJacket

1/13/2025 at 12:04:50 AM

Honey is the new Bonzi Buddy

https://en.m.wikipedia.org/wiki/BonziBuddy

by miohtama

1/13/2025 at 1:04:55 AM

Does this make Chrome the new IE4? (Although I guess most web-"devs" nowadays never experienced IE4...)

Why hasn't there been a major data theft yet exploiting the permissiveness of the Chrome extension ecosystem, it's a disaster waiting to happen...

by netsharc

1/12/2025 at 10:25:35 PM

Most of them hijack search results and do cookie stuffing.

by prettyblocks

1/12/2025 at 4:54:58 PM

I also have a really small extension. I also get a lot of emails offering "help" to expand the user base through SEO and marketing.

by emahhh

1/12/2025 at 3:05:18 PM

How much were they offering?

by maxresdefault

1/12/2025 at 3:15:09 PM

They're not really targeting particular extension. Most people probably don't want to sell anyway so they would just waste time. They send email to everyone who have extension and then when any developer replies, only then they decide if they even want to buy. I have extension with 50k installs in last 5 years that has always on full access to visited pages (content script) and they offered $2k.

by dvh

1/12/2025 at 3:49:37 PM

$2k seems abysmally low to throw away your labor of love and compromise your morals. At least in the US

by malfist

1/12/2025 at 3:59:38 PM

you're making some assumptions that every dev has morals, and that some unscrupulous dev didn't build the thing specifically in hopes of getting this offer

by dylan604

1/12/2025 at 7:30:16 PM

Sure, that's possible, and from a cynical perspective seems likely to have happened. But if I was unscrupulous, there seems to be a lot easier paths to money than making a product, offering it for free, and hoping someone will offer to buy it from you to corrupt it.

by malfist

1/12/2025 at 8:29:59 PM

Sure, but this method doesn’t come with risk of criminal charges. This is all legit shady.

by dylan604

1/13/2025 at 6:08:53 PM

This is a worry!

by lazyeye

1/12/2025 at 12:40:23 PM

These rogue extensions are "surreptitiously monetizing web searches" - but doesn't Google conspicuously monetize web searches?

So it seems the Google TOS bans competition in search monetization using their "open source" browser. Isn't it odd that an "open source" browser is apparently designed to provide a monopoly on search monetization by the nice people who give it to you for free?

And being 80% or so of all searches: https://www.statista.com/statistics/216573/worldwide-market-...

It seems like Peter Thiel's claim that google is a search advertising monopoly masquerading as a (competitive, non-monopoly) technology company might be spot on.

by Over2Chars

1/12/2025 at 1:43:12 PM

> Peter Thiel's claim that google is a search advertising monopoly masquerading as a (competitive, non-monopoly) technology company

That's not a very deep insight, it's been pretty obvious since they bought out DoubleClick in 2007.

by grues-dinner

1/12/2025 at 2:18:32 PM

At this point in 2024/25, it's obvious to the point of multiple antitrust lawsuits against Google.

If you want a POV on the most recent one involving Doubleclick, listen to the first part of this podcast with Brian Kelley of App Nexus - a competitor to Google ad tech.

https://m.youtube.com/watch?v=xm8gPuwqFHk

by prasadjoglekar

1/12/2025 at 4:28:12 PM

Don't forget when Google bought Urchin in '05. It's all been a part of the same broad strategy.

by fuzzy_biscuit

1/12/2025 at 2:05:08 PM

I agree, I think it's not a deep insight, but Thiel notes (in his 'zero to one' speech he gave) that Google actively pretends not to be a search advertising monopoly, and instead pretends to be a competitive technology company, in a wide range of technology fields, to "hide" their monopoly.

Thiel is openly advocating monopolies, and says competition is for losers.

I think he's just calling GOOG out for their marketing, and noting their market strategy to deflect attention away from their monopoly.

I, for one, have never heard anyone publicly mention this besides Thiel. Have you?

by Over2Chars

1/12/2025 at 2:20:38 PM

I'm not sure I buy Thiel's argument becuase plenty of their non-search businesses such as Google Cloud, GSuite, Waymo, and Verily have become pretty successful in their own right, and vertical integration is another form of monopoly that tends to cracked down on.

by alephnerd

1/12/2025 at 2:46:43 PM

If I had a monopoly on sugar and traded in silver and healthcare, I would still have a monopoly on sugar.

by whatshisface

1/12/2025 at 3:57:31 PM

Yea but diversification is a critical business strategy not just a marketing ploy

by tsunamifury

1/12/2025 at 4:11:25 PM

Yeah there are far cheaper ways to “distract” from a monopoly than building Waymo from scratch. Alleging that whole project exists only as a smokescreen is pretty conspiratorial thinking.

by brookst

1/12/2025 at 5:08:33 PM

I have had drinks with Peter Thiel. If you force him to answer more than one question about his theories it totally falls apart. Mostly the logic actually goes like this: oh if it doesn’t work I have the money to survive it and you don’t so I still win and claim I was right.

I wish more people understood this.

by tsunamifury

1/13/2025 at 1:10:52 AM

His lack of depth is obvious even from his speeches. He jumps from topic to topic and doesn't develop his ideas or show much internal organization. He has a pithy insight and then bounces to the next topic.

That said, if a 60 minute talk can provide even one useful insight that's useful, I'd say it's a win. And I think his "zero to one" talk had at least two or three.

Honestly, I concluded GOOG was an advertising company pretending to be a "tech" company some time ago, but if I say it I'm a "troll", if Thiel says it, well it might be true, right?

by Over2Chars

1/13/2025 at 6:17:26 PM

Advertising is the highest tech problem you can tackle. It literally is about using compute to bend the will of humans. How do you not get that?

by tsunamifury

1/14/2025 at 12:12:13 AM

If Advertising is the "highest tech problem" that can be tackled, I guess we're in for a rough ride.

I'd assume at least a dozen things are more important than advertising inexpensive Chinese made socks to Americans. But I could be wrong.

If by highest you mean, "most lucrative" then yes, I agree.

by Over2Chars

1/12/2025 at 6:11:31 PM

+1 on this.

Ime he's a walking personification of "jack of all trades, master of none".

That's the perfect trait for a VC (broad knowledge is critical to identify market trends), but it has its flaws such as extreme simplification of complex topics.

That said, you can rightfully argue that this is why you are investing in egghead founders - so they can deal with solving those problems and logic gaps.

by alephnerd

1/13/2025 at 12:22:23 AM

[dead]

by crashabr

1/12/2025 at 2:40:45 PM

Check out the big blue box. I think Thiel's point is spot on:

https://www.statista.com/statistics/1093781/distribution-of-...

by Over2Chars

1/12/2025 at 4:07:11 PM

Vertical integration is very proconsumer as it reduces successive markups.

by wbl

1/12/2025 at 4:13:28 PM

Until they drive competitors out of business, and then it's not. Much like the horizontal integration of, say, Walmart.

by BobaFloutist

1/14/2025 at 2:53:36 PM

When the prices are low it's predatory, the same it's collusion and higher it's exploiting the monopoly.

by wbl

1/12/2025 at 10:34:00 PM

I never had the illusion that Google makes their money from Pixel phones... It was always advertising.

by WeylandYutani

1/13/2025 at 1:07:01 AM

You are keenly insightful in this age of the willingly blind.

Their technology products are free/low cost ways to get you to voluntarily opt in to their surveillance advertising model.

by Over2Chars

1/12/2025 at 2:38:07 PM

I mean… they’re as much search as Amazon is retail, no?

Doesn’t GCP bring in big bucks?

Not to mention gsuite. If your company don’t use Microsoft office they use gsuite.

by dartos

1/12/2025 at 2:40:05 PM

The big blue block is search advertising revenue:

https://www.statista.com/statistics/1093781/distribution-of-...

the much smaller black box is GCP. Much smaller. much much smaller.

by Over2Chars

1/12/2025 at 1:09:53 PM

Small info piece: Chrome isn't open source.

Otherwise I agree (even if it means agreeing with Peter Thiel in this case).

by HeatrayEnjoyer

1/12/2025 at 1:57:53 PM

Well shiver me timbers, if that isn't a hoot.

Maybe my vernacular is off, "source available" ?

ah "licensed freeware"

https://en.wikipedia.org/wiki/Google_Chrome

by Over2Chars

1/12/2025 at 3:53:50 PM

chromium is open source, chrome is chromium + proprietary stuff added on top

by asddubs

1/12/2025 at 3:02:16 PM

99% of its source is open. I wonder what you think of open source applications that make API calls into closed source cloud systems?

by surajrmal

1/13/2025 at 12:29:45 AM

Where does that 99% figure come from?

by thowawatp302

1/13/2025 at 2:12:56 AM

I think it's 100% open source chromium, minus some unknown percentage that's closed source surveillance blobs = ~99%. That's the maths I'm inferring.

by Over2Chars

1/12/2025 at 4:06:28 PM

The competition is a click away.

by wbl

1/12/2025 at 1:50:25 PM

Can you quote the relevant section of the TOS?

by WrongAssumption

1/12/2025 at 1:55:53 PM

I cannot. I am simply paraphrasing the leading sentence:

"The people overseeing the security of Google’s Chrome browser explicitly forbid third-party extension developers from trying to manipulate how the browser extensions they submit are presented in the Chrome Web Store. "

I assumed that this explicit prohibition would be a "TOS". I could be wrong. Maybe it's somewhere else or called something else.

by Over2Chars

1/12/2025 at 7:05:26 PM

Google would prefer to focus on limiting ad blockers with V3 instead of protecting users from these extensions.

by issafram

1/12/2025 at 10:47:57 PM

The "This extension may soon no longer be supported because it doesn't follow best practices for Chrome extensions" warning on the uBlock Origin listing is one the shadiest things on the Chrome Web Store.

by insin

1/12/2025 at 7:20:56 PM

V3 reduces the damage extensions can do to users. Complain about the impact to ad blockers if you want but this point is nonsense.

by creato

1/12/2025 at 11:57:36 AM

> Apparently, some extension authors figured out that the Chrome Web Store search index is shared across all languages

Oh, you mean like google ads and android app ads? Because both think I'm either Chinese or Korean, despite being neither.

by nubinetwork

1/12/2025 at 4:03:28 PM

Targeting at its finest.

by dylan604