Comment by donatj
19 days ago
I have two Chrome extensions in the store. They're not very popular and are really just features I wanted for my own use. I think I have less than 100 users total.
At least once a week I get emails from people
- offering money to add their "tracking" code
- wanting to purchased the extension outright
What they clearly want is access to my modest install base to push questionable code onto. I certainly am not going for these offers, but I could certainly see someone less financially secure giving in to it, and that scares me a little.
The idea of paid malware insertion in smaller packages is kind of troubling in general. How often just in life in general do we just trust opaque binaries to be clean.
> I think I have less than 100 users total.
> At least once a week I get emails from people
My extension (https://chromewebstore.google.com/detail/privornot/fnpgifcbm...) currently says it has ~915 users. Usually the offers I get are in the $100-$200 range, but it's maybe once every 1-2 months I get an offer.
I'm guessing they go by keywords + user count (or something, maybe "last updated" too?) , as my extension is very country and context-specific, and I'm not getting that many offers (thankfully). More people reaching out saying thanks, which are better emails to receive anyways and some asking for the source code, which I'm happy to provide :)
They stopped emailing me eventually when I started responding with silly replies, these are some of the emails I got about Control Panel for Twitter (~220,000 users on Chrome):
https://github.com/insin/control-panel-for-twitter/issues/38...
Some of them work in the open, I've had emails from the people behind this scam:
https://palant.info/2024/10/01/lies-damned-lies-and-impact-h...
Oh man, I loved your work.
That sort of thing is part of my usual spiel against automatic updates in most scenarios (and, when that's hard, pushing back on the reasons why it's hard rather than adding automatic updates):
- What security problems are we trying to prevent with automatic updates? The worst-case would be allowing an untrusted third-party to run arbitrary code on your computer.
- How did we fix it? We allow a different untrusted third-party to run arbitrary code on our computers.
Toss in a healthy dose of developers using "security updates" to enshittify a product, or even just screwing up releases from time to time and introducing more attack vectors than they fixed, and automatic updates don't look very attractive.
Did they seem personalized or do they just mass-mail every developer they can find? 100 users seem very little to go through the trouble of acquiring an extension and then push bad code.
Did they ever give you an idea of what they are ready to pay?
They seem pretty generic, like spray and pray. I am sure they just scrape all the developers details from the Chrome Store and bug them all.
I don't seem to have saved any of them but I do recall one offering me $6,400 for my extension because there was a small voice in the back of my head whispering "that's a lot of money..."
Most of the ones wanting me to install code offer ongoing payments.
Thanks, that sounds like a lot of money. I assume they'd start negotiating once you respond and they look into it, I can't see them paying $6-10 per user. At that point, it has to be cheaper to just build extensions and let them gather a few users, right?
Wild market though, and I applaud developers who reject the offers. I'm sure that small voice becomes a lot louder if you built an extension that now has 100k users.
Did you see what the tracking code does? If possible, it'll be useful to get access to this.
I am having trouble finding it now but I used to use a Picture in Picture extension that just made the controls more apparent (I use Brave and you have to do a menu dive for it by default). The extension had been featured by google when I added it.
At some point they signed on with a monetization scheme that:
- Redirected you through its sales attribution url any time you accessed a store (which bounced you to the site's front page instead of your search result)
- Rearranged your search results to put its affiliated stores at the top
- Marketed itself mainly to retailers as an ad network with no mention of browser extensions anywhere.
If it werent for the annoying redirect I probably would have never noticed that something was wrong.
...Was it Honey?
2 replies →
Most of them hijack search results and do cookie stuffing.
I also have a really small extension. I also get a lot of emails offering "help" to expand the user base through SEO and marketing.
How much were they offering?
They're not really targeting particular extension. Most people probably don't want to sell anyway so they would just waste time. They send email to everyone who have extension and then when any developer replies, only then they decide if they even want to buy. I have extension with 50k installs in last 5 years that has always on full access to visited pages (content script) and they offered $2k.
$2k seems abysmally low to throw away your labor of love and compromise your morals. At least in the US
3 replies →
This is a worry!