Think Twice Before Installing Any Chrome Extension

Hi, This is Joel, the developer of awesome screenshot the article mentioned. First of all, I apologize for what I did for it in the last version a day ago.<p>I'd like to share with you my intension for this amazon + google search feature.<p>1) It's from my need. When I search some shopping items from google, I always want to check them in amazon also.<p>2) It can help us make small mount of money.<p>3) I provide an option to disable it.<p>However, I did it in a wrong way. I should did it like this: 1) Disable it by default. 2) Ask user's permission to enable it 3) Tell users why we add it.<p>I did it wrong but still respect users. This feature exists only one day and I removed it in the new version(3.2.1).

The answer from the developer of Awesome Screenshot:<p><pre><code> === Developer 1 hour @All, since many of you don't like this feature, we removed it in the version 3.2.1. === Developer 39 minutes @All, Hi All, This is Joel, developer of awesome screenshot. I am so sorry to add the amazon search result in google search result page without info our users first. It's such a bad decision. This additional features was designed to scratch our own itch. Because when I search some shopping items in google, I always want to check them in amazon at the same time. In the spirit of transparency, we should disclose that this feature does bring small amount of revenue to us, which enables us to continue to improve this product. Since so many users don't like it, *we already updated a new version(3.2.1) to remove this feature*. </code></pre> I think they should make this feature optional and disabled by default.

Can't help casual users, but for power users, this is a very handy tool to inspect the source on-the-fly:<p><a href="https://chrome.google.com/webstore/detail/bbamfloeabgknfklmgbpjcgofcokhpia" rel="nofollow">https://chrome.google.com/webstore/detail/bbamfloeabgknfklmg...</a>

Apple's solution has taken a lot of flak over the years for its audit process and some pretty arbitrary rejections, but if this is the alternative...

Anyone could review extensions in Chrome's gallery and provide a seal of quality or recommended avoid list.<p>With Chrome's model, competing groups with different priorities could recommend different sets of apps to use or avoid, just like competing review magazines for consumer goods.<p>Mozilla's model invites pressure from DHS to kill specific apps the government doesn't like. So far Mozilla has rejected calls to kill extensions that help circumvent state sponsored blacklists,* but for how long?<p>As Google learned in China, if there is a technical measure which could hypothetically suppress speech, then some government will eventually demand its use.<p>* See "MAFIAAfire"

While I don't like the Awesome Screenshot approach, high profile startups like Posterous seem to take a similar approach (stealthily rewriting links in blog articles) and hardly anybody from the tech elite seems to mind.

I think the title of this post is too alarmist. Chrome makes it very easy to install or remove apps, unlike traditional desktop applications.<p>I recently released a Chrome Extension myself <a href="https://chrome.google.com/webstore/detail/ifhpbfmklgecpflbnbamoahdeabljgfi" rel="nofollow">https://chrome.google.com/webstore/detail/ifhpbfmklgecpflbnb...</a>, and was surprised that Google requires a $5 payment from developers, supposedly to prevent malware and spam, even though most extensions are free. I suppose Google largely counts on ratings and comments to moderate content.

What's the technical term for this?<p>Ah yes. I remember: "pretty fucking bad, man".<p>If the Chrome team also have access to the source of these plugins, it seems pretty irresponsible that there's no audit process whatsoever. There should at least be random audits, particularly of popular applications.

A few months ago I discovered a similar situation with a very popular extension (300,000+) users. It removed facebook ads, and injected it's own. After a quick search, I found 4-5 others that were doing the same. Took Google over 3 weeks to remove them.<p><a href="http://www.reddit.com/r/chrome/comments/gpwqc/caution_auto_hd_for_youtube_extension_is_now/" rel="nofollow">http://www.reddit.com/r/chrome/comments/gpwqc/caution_auto_h...</a>

Sounds like an opportunity for a startup based on rating, review and certification of chrome extensions. I'd pay for peace of mind.

Also, think twice before visiting any website. A web browser can be used for many things. Some of those things (like running extensions, or visiting web pages) have the potential to deliver malicious code to a user's machine. It is not Google's responsibility to police the content of the web, or the content of Chrome extensions. Although one could argue that it would be wise for Google to use its vast resources to provide recommendations/warnings on extensions, similarly to what it does for links in Google results that it suspects are delivering malware.

Odd, I've had that extension installed for a while now and have never had any of those amazon ads inserted into my content. Uninstalling awesome screenshot just to be sure.

So in principle the Chrome gallery has the tools in place to prevent these abuses. The extension listing page states what permissions the extension will have (if it says "access all web pages", then you certainly should think hard before installing it!), and the user reviews and ratings mean users can call out bad behaviour (like this sneaky affiliate link adding) and warn other users.<p>Unfortunately both of these things are pretty broken in the Chrome gallery at present. The warning about what the extension can access is fairly muted, and you have to <i>notice</i> and <i>read</i> it - unlike when you install a Facebook or Android app, when the permission dialog interrupts the install flow so you have to at least <i>see</i> it before you can install. And the implementation of user reviews is terrible - there's no way for the extension author to reply to a misinformed or misleading review, except to leave his own "review" (yes, you can review your own extension).

Everyone has access to chrome extension source

I completely disagree with the conclusion of this article. Consider Apple's App Store. Supposedly, the application and review process makes things safer for end users. Unfortunately we've seen this is not always the case. Additionally, Apple's policies have been harshly criticized by others as being a walled garden that stifles competition.<p>Can Google really expect to keep an app like this from slipping through their approval process? It's not like the extension runs and crashes Chrome while sending your browsing history to DoubleClick.<p>I think a better way to approach this issue is to engage the users when they install an app with flexible permission settings, by saying "These are the things this app is allowed to do. If you don't want it to do all of these things, you may uncheck specific permissions. Be aware that restricting this extension may cause it to not work properly".

Safari extensions too. I installed Dictionary by Slice Factory. Then, when I was shopping on Amazon, I got a huge in-browser pop-up asking to help me find products with the lowest price. They do have an opt-out feature, but it was very disconcerting since initially I had no idea where this came from.

Extensions really can't do anything without specifying permissions explicitly in their manifest. Those permissions are then shown to the user when extensions are installed. I don't see the problem here.<p>And inserting links in a search results page is hardly the type of malware the title of this article implies.

This is why I only use bookmarklets. I click they run. I don't click, they don't run. Sure my Readability bookmarketlet might be collecting a couple of links I have trouble reading, but at least they aren't doing anything malicious when I'm not using them.

The developers of this app just lost a lot of trust! Be honest with your users. That's the first rule of developing a good product. It does not matter how much they apologize now, a lot of users aren't going to trust them anymore!

Use Screen Capture (by Google): <a href="https://chrome.google.com/webstore/detail/cpngackimfmofbokmjmljamhdncknpmg" rel="nofollow">https://chrome.google.com/webstore/detail/cpngackimfmofbokmj...</a><p>You can take the entire page, partial pages, redactions etc its fantastic.<p>No remote server needed either.

It's not the only one. Upside Down adds Viglink to pages (and mentions it in the extension gallery page).<p>Allow copy-paste action on websites replaces the banner on LyricsFreak with one for the author's website.<p>The Web Of Trust Firefox extension also adds "safe search" links to Google results.

Wasn't able to move to Chrome from Firefox. No proper replacement for Vimperator/Pentadactyl. Vimium just doesn't cut it. Doesn't work on all pages, often stops working. Any chrome users here who use vimium (vim bindings) who might share some inputs?

I wondered where those Amazon ads were coming from! This is definitely shady; to have websites modified without your knowledge is unnerving. With such a successful extension, there must be a better monetization idea than tricking users.

use the source, luke.

this coming from the guy monetizing his site with with obnoxious google ads and hover-over links.

Why is everyone treating this as something new?!?!<p>you run code on your machine, you have to trust it.<p>Heck, i don't trust even stuff i download from the app store! and I still limit the talk of my wii with nintendo servers on my router.<p>the chrome extensions just add a little insult because it 'seems' official or something. Much better the grease monkey way, full of warnings so the user remembers that he has to think for himself.

There should be a permission for contacting external sites. That's where the biggest security threats lie and most extensions, like a screenshot extension, don't need to be making requests to other sites (like Amazon).