Guy talks about switching to the "Classic" version if
> you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.
Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.
Noticed a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa in the chrome inspector today.
Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.
I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.
At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.
Thanks for posting this. I think it's such a shitty thing to do. I don't have much of a problem if an original author wanted to do a closed fork of an open source project, but to start injecting ads, without warning, to folks who have already installed your generic JSON formatter and phrase it as "I'm moving to a closed-source, commercial model in order to build a more comprehensive API-browsing tool with premium features." - seriously, f' off.
I agree that browser extension marketplaces are a failed experiment at this point. I used to run security an a fin services company, and our primary app had very strict Content Security Policy rules. We would get tons of notifications to our report-uri endpoint all the time from folks who had installed extensions that were doing lots of nefarious things.
We could use llms to scan source code and list all of the behavior not listed in the extensions page, like adware and geolocation tracking for example. Then another LLM locally to disable it and warn you with a message explaining the situation.
> I feel like browser extension marketplaces are a failed experiment.
People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
The degree to which they are successful at that and add enough value to overcome the downsides is an open question. But it's clear that in a world where everyone is running hundreds of pieces of software that have auto-update functionality built in and unfettered access to CPU power and the Internet, uncontrolled app stores a honeypot for malicious actors.
This also ignores that mobile phones are now being used as an effective botnet. Just gotta get some poor devs to include your SDK and off you go.
AI companies make use of these botnets quite a bit as well. Why don't we hear more about it? because it is really really really hard to inspect what is actually happening on your phone. This post actually kinda disproves that the closed rent seeking model is better in any way.
Whatever value they provide is completely and totally irrelevant compared to giving Microsoft, Google, and Apple the unilateral discretion to end any software developer's career, or any software development business, by locking them out of deploying software with no recourse. Nobody has a problem with optional value-add stores, but all three are or are moving towards having complete control of software distribution on the hardware platforms used by billions of people.
> People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
But browser extension marketplaces aren't a free-for-all; they're exactly like the platform app stores in all the bad ways.
Agreed with that. My main use of AI is just writing ultra minimal apps that are specifically tailored to my needs, instead of using a larger app(or plugin or whatever) that is controlled by a third party and is usually much more than I need, and doesn't exactly fit my needs, and requires ad hoc configuration.
I'm wondering when/if this is going to bite me in the butt
Interesting that the author, Callum Locke, seems to be a real person with a real reputation to damage. Previously this would have been a trust signal to me, I figured real developers would be less likely to go rogue given the consequences.
The same thing happened to ModHeader https://chromewebstore.google.com/detail/modheader-modify-ht... -- they started adding ads to every google search results page I loaded, linking to their own ad network. Took me weeks to figure out what was going on. I uninstalled it immediately and sent a report to Google, but the extension is still up and is still getting 1 star reviews.
I guess you really need to unpack each and every extensions before installation and carefully inspect the code manually to see if it only would be doing what the extensions is advertising.
Darn…
and I thought that the JSLibCache extension was forcing every site into UTF-8 mode (even those that need to run with a legacy codepage) was a critical issue. A problem I encountered yesterday… took me a while to figure out too.
I actively try to get coworkers to audit, remove and work without browser extensions. Google and Firefox clearly do not care to spend even a modicum of effort to police their marketplaces. There's only a few I would trust and assume all others to be malware now or at some point in the future.
The JSONView extension on Firefox was targeted a while ago. (2017?)
I only found out because Mozilla forced an uninstall with a warning and then I had to go down Bugzilla to find the impact (it leaked browser visit URLs).
WebExtension permissions are fucking broken if the set of permissions necessary to reformat and style JSON snippets is sufficient to inject network-capable Javascript code into any page.
If basically any worthwhile extension can be silently updated to inject <script> tags anywhere, then it's time to call this a failed experiment and move on. Bake UBlock and password-management APIs into the browser. Stop the madness.
Been researching extensions for a while now at the day job and I'm preparing some disclosures to the major browser vendors.
The amount of absolute clusterfuckery in browser extensions is endless. One of the biggest issues is with how extensions define their permissions and capabilities in their manfiest.json files. I've reviewed thousands of these now, and probably only 5-10% of extensions actually get it right. There are just so many confusing and overlapping permissions, capabilities, etc.
It is a failed experiment, but I don't think Google can just shut it off, because of their market dominance. They'd be disconnecting some of their competitors from their users. They need to move to an updated manifest spec that is (more) secure by default, has fewer footguns, etc.
- "It can: Read and change all your data on all websites"
It's not alarming sounding enough for what that implies, but "it can trigger requests under its control" seems fairly obvious from that. The permission it uses to inject ads can be used to inject ads (or block them).
Why a JSON formatter needs any permission at all is something anyone installing it should be asking themselves.
---
This is not meant to imply that I think the permission model of extensions in chrome or firefox is good, clearly it is not. But it's significantly better and more fine-grained than every single other widely-used permissions system in consumer apps. Ideally there should be more carve-outs for safe niches like a "read a JSON file, rewrite it into something that does not need javascript or external resources" could use, but also that kind of thing is likely to be nigh impossible to make "complete".
Given that the worlds biggest browser is made by the worlds biggest ad company, the chances it’ll ever bake in a working ad blocker are approximately zero.
> you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.
Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.
Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.
I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.
At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.
I agree that browser extension marketplaces are a failed experiment at this point. I used to run security an a fin services company, and our primary app had very strict Content Security Policy rules. We would get tons of notifications to our report-uri endpoint all the time from folks who had installed extensions that were doing lots of nefarious things.
People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
The degree to which they are successful at that and add enough value to overcome the downsides is an open question. But it's clear that in a world where everyone is running hundreds of pieces of software that have auto-update functionality built in and unfettered access to CPU power and the Internet, uncontrolled app stores a honeypot for malicious actors.
AI companies make use of these botnets quite a bit as well. Why don't we hear more about it? because it is really really really hard to inspect what is actually happening on your phone. This post actually kinda disproves that the closed rent seeking model is better in any way.
But browser extension marketplaces aren't a free-for-all; they're exactly like the platform app stores in all the bad ways.
You don't?
I'm wondering when/if this is going to bite me in the butt
https://github.com/wesbos/JSON-Alexander
Darn…
and I thought that the JSLibCache extension was forcing every site into UTF-8 mode (even those that need to run with a legacy codepage) was a critical issue. A problem I encountered yesterday… took me a while to figure out too.
I only found out because Mozilla forced an uninstall with a warning and then I had to go down Bugzilla to find the impact (it leaked browser visit URLs).
If basically any worthwhile extension can be silently updated to inject <script> tags anywhere, then it's time to call this a failed experiment and move on. Bake UBlock and password-management APIs into the browser. Stop the madness.
The amount of absolute clusterfuckery in browser extensions is endless. One of the biggest issues is with how extensions define their permissions and capabilities in their manfiest.json files. I've reviewed thousands of these now, and probably only 5-10% of extensions actually get it right. There are just so many confusing and overlapping permissions, capabilities, etc.
It is a failed experiment, but I don't think Google can just shut it off, because of their market dominance. They'd be disconnecting some of their competitors from their users. They need to move to an updated manifest spec that is (more) secure by default, has fewer footguns, etc.
- "It can: Read and change all your data on all websites"
It's not alarming sounding enough for what that implies, but "it can trigger requests under its control" seems fairly obvious from that. The permission it uses to inject ads can be used to inject ads (or block them).
Why a JSON formatter needs any permission at all is something anyone installing it should be asking themselves.
---
This is not meant to imply that I think the permission model of extensions in chrome or firefox is good, clearly it is not. But it's significantly better and more fine-grained than every single other widely-used permissions system in consumer apps. Ideally there should be more carve-outs for safe niches like a "read a JSON file, rewrite it into something that does not need javascript or external resources" could use, but also that kind of thing is likely to be nigh impossible to make "complete".