Discussion
Search code, repositories, users, issues, pull requests...
tadfisher: WebExtension permissions are fucking broken if the set of permissions necessary to reformat and style JSON snippets is sufficient to inject network-capable Javascript code into any page.If basically any worthwhile extension can be silently updated to inject <script> tags anywhere, then it's time to call this a failed experiment and move on. Bake UBlock and password-management APIs into the browser. Stop the madness.
jkl5xx: Noticed a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa in the chrome inspector today.Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.
hn_throwaway_99: Thanks for posting this. I think it's such a shitty thing to do. I don't have much of a problem if an original author wanted to do a closed fork of an open source project, but to start injecting ads, without warning, to folks who have already installed your generic JSON formatter and phrase it as "I'm moving to a closed-source, commercial model in order to build a more comprehensive API-browsing tool with premium features." - seriously, f' off.I agree that browser extension marketplaces are a failed experiment at this point. I used to run security an a fin services company, and our primary app had very strict Content Security Policy rules. We would get tons of notifications to our report-uri endpoint all the time from folks who had installed extensions that were doing lots of nefarious things.
gsibble: Is it me or is this happening more and more frequently?
Groxx: [delayed]
michaelt: Given that the worlds biggest browser is made by the worlds biggest ad company, the chances it’ll ever bake in a working ad blocker are approximately zero.
captn3m0: The JSONView extension on Firefox was targeted a while ago. (2017?)I only found out because Mozilla forced an uninstall with a warning and then I had to go down Bugzilla to find the impact (it leaked browser visit URLs).
jansommer: Guy talks about switching to the "Classic" version if> you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.
panstromek: Depends on how many JSON tokens you need to format. I recommend getting JSON ForMAX+ with 200k tokens and 100k sign in bonus.
fg137: How did you "notice" a suspicious element in the inspector? Do you routinely look at the DOM?
cluckindan: The extension injects its ”gimme money” elements even on localhost pages.
binaryturtle: I guess you really need to unpack each and every extensions before installation and carefully inspect the code manually to see if it only would be doing what the extensions is advertising.Darn…and I thought that the JSLibCache extension was forcing every site into UTF-8 mode (even those that need to run with a legacy codepage) was a critical issue. A problem I encountered yesterday… took me a while to figure out too.
ronsor: > Do you routinely look at the DOM?You don't?
munificent: > I feel like browser extension marketplaces are a failed experiment.People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.The degree to which they are successful at that and add enough value to overcome the downsides is an open question. But it's clear that in a world where everyone is running hundreds of pieces of software that have auto-update functionality built in and unfettered access to CPU power and the Internet, uncontrolled app stores a honeypot for malicious actors.
josephcsible: > People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.But browser extension marketplaces aren't a free-for-all; they're exactly like the platform app stores in all the bad ways.
wesbos: I noticed this a week ago. Ended up building my own that has all the features I love from using several over the years.https://github.com/wesbos/JSON-Alexander
iza: Maybe but it's always been a problem. I've been receiving offers to monetize or sell my extension for over a decade.
strictnein: Been researching extensions for a while now at the day job and I'm preparing some disclosures to the major browser vendors.The amount of absolute clusterfuckery in browser extensions is endless. One of the biggest issues is with how extensions define their permissions and capabilities in their manfiest.json files. I've reviewed thousands of these now, and probably only 5-10% of extensions actually get it right. There are just so many confusing and overlapping permissions, capabilities, etc.It is a failed experiment, but I don't think Google can just shut it off, because of their market dominance. They'd be disconnecting some of their competitors from their users. They need to move to an updated manifest spec that is (more) secure by default, has fewer footguns, etc.
madeofpalk: I do. Then again, I’m a web developer so looking at the DOM is my day job.
brianmcnulty: I heard that JWTs are 5x the price of JSON tokens but only 3x if you have JSON ForULTRA+ (new) (for work or school).
hamdingers: Legally speaking that's for entertainment purposes only
jabwd: This also ignores that mobile phones are now being used as an effective botnet. Just gotta get some poor devs to include your SDK and off you go.AI companies make use of these botnets quite a bit as well. Why don't we hear more about it? because it is really really really hard to inspect what is actually happening on your phone. This post actually kinda disproves that the closed rent seeking model is better in any way.
smallmancontrov: The more you buy, the more you save!
anonymous908213: Whatever value they provide is completely and totally irrelevant compared to giving Microsoft, Google, and Apple the unilateral discretion to end any software developer's career, or any software development business, by locking them out of deploying software with no recourse. Nobody has a problem with optional value-add stores, but all three are or are moving towards having complete control of software distribution on the hardware platforms used by billions of people.
nip: I was approached twice to add « a search and tracking script » to my 35k+ user-based extension.Now I know what would have happened if I had accepted.
computerfriend: Interesting that the author, Callum Locke, seems to be a real person with a real reputation to damage. Previously this would have been a trust signal to me, I figured real developers would be less likely to go rogue given the consequences.
extesy: Depends on the personal situation. An extension with 2 million users can generate a very meaningful revenue. My extension has only 300k users, but offers that I received over years [0] would have been significant in some lower-income country.[0] https://github.com/extesy/hoverzoom/discussions/670
ayewo: The tempation is quite strong, especially for popular extensionsHere's what it can look like to an author of a popular extension:https://github.com/extesy/hoverzoom/discussions/670
vadansky: Or just use it as an example to vibecode your own. Extension laundering through vibecoding.
Animats: It's OK to inject ads, but not OK to remove them, under Google's current policies.
Legend2440: Well no, actually. Both halves of that statement are false.Injecting ads will get you removed from the extension store if caught, while adblockers are advertised on the front page of the store.
robocat: Extracts from two different offers: For example, your income for the 10k users will be ~ $ 1000 per month, users 20k ~ $ 2000 per month… 100к users ~10 000 $, and so on. ARPDAU (Average Revenue Per Daily Active User) basis - In average we have $0.007-0.011/user, US is $0.018.
maxloh: You need to (1) have access to the page/DOM to read the JSON content, and (2) have the permission to modify the page to display formatted results.Those permission adds up to make it possible to display ads and track users. No properly defined boundary would have prevent that.
Animats: Google's "Manifest 3" rules, vs. ad blocking, in Ars Technica.[1]Did the JSON formatter with ads get kicked out of the extension store yet?[1] https://arstechnica.com/gadgets/2024/08/chromes-manifest-v3-...
Legend2440: Everybody freaked out about Manifest v3, but I'm running Chrome + uBlock and still not seeing any ads. Seems like a nothingburger to me.
endofreach: Lol. I mean what the hell is this. I have this weird feeling this guy got tricked by an LLM into thinking this move is smart... "what you've built is not just a json formatter, it's the next big...".I mean good luck to that guy. Everyond should habe a shot. I think i've been using that extension as well. But yeah, i never cared enough to know if it was this one. But i do hope there are others who did & he can surprise me and turn this user base into customers of a commercial product. If he pulls that of, i'd be truly impressed.
arikrahman: I what feature can even be added to the product that won't be immediately replicated in a fork?
SquareWheel: Manifest 3 explicitly enables ad blocking through the declarativeNetRequest API. It's trivial to do so, and many blockers exist in the Chrome Web Store.
tadfisher: "Read and change data on all websites" does not, to me, imply "make network requests on the user's behalf". Yes, I can put on my developer hat and surmise that, under the hood, the extension's injected payload can make network requests by adding <script> elements to the DOM. No user will ever understand this, no matter how much you try to educate them through the permission prompt.This ends up being significantly worse than any other widely-used permissions system, because injected scripts act as the website, not the extension. If you've already granted location permission to a website, then it is effectively granted to the extension. There is no other ecosystem that works like this.And to do basically anything worthwhile, including certain types of content blocking, you need this God permission that essentially disables the WebExtension permissions system. This should never have been greenlit in the first place.
jkl5xx: I did webdev for a long time, so yeah. If you want the story, I was looking into guix on asahi and ended up on https://www.asahi-guix.org/ which didn’t load anything, so I checked the page source and noticed the element.
tadfisher: > There is no alternative way to define a strict security boundary that allows these specific permissions while preventing abuses.Maybe you're right, and there isn't. Does it not follow that we should probably require extensive review and open-source reproducible builds before allowing any such extension on the browser extension stores?
mirekrusin: Nobody knows what but everybody knows they won't be replicated.Chat with your json?Facebook but for jsons?Send json to blockchain?It's so bad that it's exciting, can't wait for an update.
