As the creator of several popular Chrome extensions, once you reach about 10,000 installs people will start contacting you to acquire the extension. In particular, I created a native ad detector that was briefly popular[1]. In my experience, acquirers will go after extensions that have permissions to modify any page.
My extensions were open source and had no clear path to monetization, so I can only speculate on how the purchasers planned to recoup their investments. The permissions in these extensions would allow them to inject ads or even collect credentials, etc.
Not saying that the top extension developer does this, but people are definitely making money by collecting innocuous Chrome extensions!
Recently someone has contacted me to publish a dummy Chrome extension with broad permissions, which they would have updated with their code. After declining, they have offered $20k for the job.
It was interesting to see this strategy, they are trying to implicate people to create publisher accounts for them, verified with credit cards that cannot be traced back to them and do not look suspicious. Though the money they have offered seemed too much for the job, I guess they are also trying to hook developers and convince them to do other stuff down the road.
I do get plenty of purchase and monetization offers, some of which I have shared in a blog post [1], but this was a trick I have never encountered before.
SimilarWeb and Jumpshot acquire extensions so they can gather data on the websites you visit. They then sell this data to other companies for marketing/intelligence purposes. I hope Google can close this loophole soon (anyone from Google listening? dustballs)
Chrome desperately needs a trigger whereby an extension can access a site's data only if there has been an interaction such clicking a button on the toolbar or the right click menu.
> The activeTab permission gives an extension temporary access to the currently active tab when the user invokes the extension - for example by clicking its browser action. Access to the tab lasts while the user is on that page, and is revoked when the user navigates away or closes the tab.
Part of the problem is that activeTab makes a ton of the things extensions usually do impossible, so lots of extensions will keep requesting full permissions. I'm not really sure how you fix it. Scoping to a list of domains could potentially work, but adding new domains shuts off your extension so it seems unlikely that anyone could do it when they could request wildcard permissions at install instead.
In practice users want extensions to do stuff that implicitly violates security boundaries, so I think making that stuff secure would basically require Google to build it in. Like for example, 1password naturally needs both a way to intercept entry of new passwords (to offer saving) and a way to detect password fields and type into them. Detecting a password field means you need to be able to scan the DOM and detect when the user is interacting with the field. At the point where you can do that, you can snoop on the user on an important page, activeTab or no.
If the Chrome Web Store offered straightforward ways to sell paid extensions at least then there'd be less reason to embed malware in your extension instead...
My extension (now removed due to legal threats and DMCA abuse) was originally scoped to an application's domain, and then the developer added a new domain so I had to update my extension manifest to add that domain. Doing so shut it off for every user and I had to explain how to turn it back on. Given that experience I should have just put a wildcard in the permissions instead, but I underestimated how bad Chrome's extension infrastructure would be.
It's not that simple. For example, this would break my accessibility Chrome Extension that lets users browse just using their voice (https://www.lipsurf.com)
The speculation is that NachoAnalytics (they let you "spy" on your competitor's traffic) does something similar -> using lots of general purpose extensions to collect data.
Chrome extensions are such a massive vector for unwittingly giving away all of your data. The fact that they're near impossible to monetize combined with the fact that people click through the permissions screen so easily makes it a prime target for scraping people's data.
"they're near impossible to monetize "... I would not say so. => Our UI (test) automation/RPA software consists of a totally free open-source extension for web automation plus a paid cross-platform binary file that adds additional desktop automation features. It communicates with the extension itself via native messaging.
The add-on module is available in a limited free and paid fully featured version. It is the classical freemium model, which works well for both, the extension creators and the users.
Another good example of a freemium browser extension is Grammarly. Browser extension certainly can be monetized in an ethical way. (Note: I never used Grammarly myself, just seen the many ads)
Per Grammarly's Privacy Policy, they collect a bunch of data, which includes "all text, documents, or other content or information uploaded, entered, or otherwise transmitted by you in connection with your use of Grammarly’s Services and/or Software. This would include, for example, text you write while using a Grammarly product, such as the browser extension or the mobile keyboard".
There's also:
"You can remove your Personal Data from Grammarly at any time by deleting your account as described above. However, we may keep some of your Personal Data for as long as reasonably necessary for our legitimate business interests"
By adapting the 2FB API (which you can use today adding 2fb.me before ANY link.. i.e https://2fb.me/https://news.ycombinator.com ) Iv'e made many posts about it and didn't get much attention but now that people are starting to understand the power of this service; I'm moving on to release it as a free and open source Chrome Extension SDK with additional features and examples. I think it's a good idea to specifically serve the Chrome Developer community. And once I have some semblance of API documentation up, I'll post about it. Hold on.
Search Encrypt is malware[0], and it's install base are generally not consensual users. I've seen it around for a very long time, and Google isn't doing anything about it.
New Tab-hijacking extensions are incredibly pervasive in the Chrome Web Store, and often installed via malicious websites which use arrows and audio cues to demand a user click the "Install" button Chrome pops up in order to resume web browsing.
Yea, the title refers to the author that is prolific by installs (FreeAddon), rather than the author that is prolific by extensions (Chrome HD Themes).
Chrome HD Themes has over 6k published extensions!
If I had a browser that had the content-filtering power of uBlock Origin (uncrippled) built-in but, to avoid conflict of interest, relied solely on the community to build filters, I wouldn't even need extension support.
I like having 1password. And the ability to impersonate other User-Agent strings for broken webpages. Tampermonkey doesn't hurt. And camelcamelcamel... and Stravistix...
Yeah, I kind of like the ability to install extensions for use cases the developer doesn't and can't think of themselves.
They say the list is the most popular extensions by category. RES is in the productivity category and presumably was omitted in favor of the 10 extensions in that category with 10M+ users. And productivity is the largest category so there are probably dozens more in the gap between 10M+ and 2.2M.
My extensions were open source and had no clear path to monetization, so I can only speculate on how the purchasers planned to recoup their investments. The permissions in these extensions would allow them to inject ads or even collect credentials, etc.
Not saying that the top extension developer does this, but people are definitely making money by collecting innocuous Chrome extensions!
[1] https://www.ianww.com/ad-detector/