Maker of Chrome extension with 300,000+ users tells of constant pressure to sell out

Interview In the past nine years, Oleg Anashkin, a software developer based in San Jose, California, has received more than 130 solicitations to monetize his Chrome browser extension, Hover Zoom+.

The latest of these proposals, which generally involve adding code from a third-party partner that gathers data or places ads, arrived by email on Wednesday.

"We offer a partnership where you can earn passive revenue without any PR risks," the message read.

"Our focus is on user privacy, and we only seek 100 percent anonymized data. If you're interested in generating additional revenue (up to $20K monthly) from PII-free data, I'd be happy to arrange a call to share the details."

The details of these proposals vary, Anashkin explained in an email to The Register. But he has turned them all down.

That's good news for fans of Hover Zoom+. For those using extensions that are sold on to unscrupulous people, though, it can be very bad news: those users probably won't even realize their favorite add-on has been quietly updated to harvest their info from their browsing, make money from clicks on links via affiliate programs, or worse.

Those who want to purchase it outright will stuff it with malware depending on their level of greed

"Actors who are asking me to add some tracking code are mostly interested in reselling users' data," Anashkin said. "Actors who want to purchase it outright will stuff it with malware depending on their level of greed: hijacking affiliate links, tampering with search results, showing popups with shady websites, etc."

Anashkin, who began documenting these solicitations on GitHub two years ago, at the time explained, "The main reason I continue to maintain this extension is because I can hardly trust others to not fall for one of these offers.

"I'm fortunate to have a job that pays well enough to allow me to keep my moral compass and ignore all of these propositions. I realize that not everyone has the same financial security so hopefully this thread would shed some light on what kind of pressure is put on extension developers."

• Chrome extensions are 'the new rootkit' say researchers
• What happens when a Chrome extension with 2m+ users changes hands, raises red flags, doesn't document updates? Let's find out
• Chrome Web Store slammed again after 295 ad-injecting, spammy extensions downloaded 80 million times

Indeed, in 2014, Anashkin forked the original Hover Zoom, an extension for zooming in on images, because the developer transferred ownership, and whoever took control of the code base turned it toward data gathering. That original add-on has now been removed from the Chrome store.

"Many years ago there was a Chrome extension called simply Hover Zoom," said Anashkin. "I was using it until 2013 when it got sold to one of these bad actors and had malware added to it. So I decided to fork it and remove all malware, analytics, etc."

He added, "The original extension stopped getting updates (obviously) and eventually got banned and removed from the Chrome Web Store."

According to security researcher Sam Jadali’s 2019 DataSpii report, this removal occurred on or around November 19, 2015 – meaning the extension operated in its data-grabbing form for at least two years.

Lures and cures

Anashkin's experience appears to be fairly common. Developers have discussed these solicitations in online forums and several have written blog posts about selling extensions or partnership offers.

Google did not immediately respond to a request for comment.

Asked what could be done to improve the situation, Anashkin had several suggestions.

"The Chrome Web Store is requiring me (the extension author) to justify the purpose of every permission that my extension uses, but I don't see that exposed anywhere to end users," he said. "Making this information visible would help users to be better informed before installing new extensions."

And when extensions get sold or changes developer contact details, he suggested, the Chrome Web Store should include a prominent notice along the lines of "Careful! New Owners." And any permission changes, he said, should trigger a re-review of the extension's source code.

Anashkin said he suspects that most "monetized" extensions use the same set of libraries to collect user data. "Chrome Web Store is in a position to identify these code snippets and disclose them on the extension's page, similar to how Android apps now show 'Contains Ads," he said.

And for open source extensions, Anashkin said, the store should check to make sure the uploaded extension code and the published source code match. "Mozilla is already doing that [for Firefox add-ons], although not without some hiccups," he said.

Simeon Vincent, who previously served as developer advocate on Google's Chrome extension team, told The Register in June that he was bullish on the architectural and policy changes accompanying Manifest v3, the Chrome extension platform revision that has been underway for several years.

• Google halts purge of legacy ad blockers and other Chrome Extensions, again
• Mozilla will begin signing Mv3 extensions for Firefox next week
• Microsoft will adopt Google Chrome's controversial Manifest V3 in Edge

Anashkin agreed it may help, but said it wouldn't solve every problem.

"Manifest V3 will make it impossible to download and run arbitrary code so that would help with some types of malware, but it won't do much for extensions that have full-time access to all pages (like ad blockers, Grammarly or Hover Zoom+)," he said. "Such extensions will still be able to analyze and modify page content and talk to their servers to collect users data."

Manifest V3 ... would help with some types of malware, but it won't do much for extensions that have full-time access to all pages

His Hover Zoom+, we note, has more than 300,000 users.

Asked whether regulations that make these "partnership" deals more difficult or that encourage developers to commit to acting in the best interest of extension users – along the lines of a fiduciary in the financial industry – might be helpful, Anashkin was skeptical.

"That sounds like an overkill for providing a free service to the users," he said, touching on a common theme among those maintaining open source projects at considerable effort but without compensation.

"Assuming a legal responsibility without even being paid? I would have to shut down my extension if this was the case.

"It's also not hard to imagine that the situation would attract blackmailers who would threaten to sue on the grounds of violating the regulation, if I don't agree to sell the extension. The US legal system would bankrupt people even on the winning side of the conflict." ®