jkl5xxJSON Formatter Chrome Plugin Now Closed and Injecting Adware
Noticed a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa in the chrome inspector today.
Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.
I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.
At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.
Thanks for posting this. I think it's such a shitty thing to do. I don't have much of a problem if an original author wanted to do a closed fork of an open source project, but to start injecting ads, without warning, to folks who have already installed your generic JSON formatter and phrase it as "I'm moving to a closed-source, commercial model in order to build a more comprehensive API-browsing tool with premium features." - seriously, f' off.
I agree that browser extension marketplaces are a failed experiment at this point. I used to run security an a fin services company, and our primary app had very strict Content Security Policy rules. We would get tons of notifications to our report-uri endpoint all the time from folks who had installed extensions that were doing lots of nefarious things.
How did you "notice" a suspicious element in the inspector? Do you routinely look at the DOM?
The extension injects its ”gimme money” elements even on localhost pages.
I do. Then again, I’m a web developer so looking at the DOM is my day job.
I did webdev for a long time, so yeah. If you want the story, I was looking into guix on asahi and ended up on https://www.asahi-guix.org/ which didn’t load anything, so I checked the page source and noticed the element.
> I feel like browser extension marketplaces are a failed experiment.
People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
The degree to which they are successful at that and add enough value to overcome the downsides is an open question. But it's clear that in a world where everyone is running hundreds of pieces of software that have auto-update functionality built in and unfettered access to CPU power and the Internet, uncontrolled app stores a honeypot for malicious actors.
> People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
But browser extension marketplaces aren't a free-for-all; they're exactly like the platform app stores in all the bad ways.
Whatever value they provide is completely and totally irrelevant compared to giving Microsoft, Google, and Apple the unilateral discretion to end any software developer's career, or any software development business, by locking them out of deploying software with no recourse. Nobody has a problem with optional value-add stores, but all three have or are moving towards having complete control of software distribution on the hardware platforms used by billions of people.
This also ignores that mobile phones are now being used as an effective botnet. Just gotta get some poor devs to include your SDK and off you go.
AI companies make use of these botnets quite a bit as well. Why don't we hear more about it? because it is really really really hard to inspect what is actually happening on your phone. This post actually kinda disproves that the closed rent seeking model is better in any way.
Well no, actually. Both halves of that statement are false.
Injecting ads will get you removed from the extension store if caught, while adblockers are advertised on the front page of the store.
Google's "Manifest 3" rules, vs. ad blocking, in Ars Technica.[1]
Did the JSON formatter with ads get kicked out of the extension store yet?
[1] https://arstechnica.com/gadgets/2024/08/chromes-manifest-v3-...
Manifest 3 explicitly enables ad blocking through the declarativeNetRequest API. It's trivial to do so, and many blockers exist in the Chrome Web Store.
Everybody freaked out about Manifest v3, but I'm running Chrome + uBlock and still not seeing any ads. Seems like a nothingburger to me.
> went closed source and started injecting adware into checkout pages ... [and] geolocation tracking.
Maybe we should resort to blame and shame publicly this sort of actions. DDoS their servers, fill their inbox with spam, review-bomb anything they do. Public court justice a la 4chan trolling. Selling out is a lawful decision, of course, but there is no reason it shouldn't come with a price tag of becoming publicly hated. In fact, it might help people who are on the verge to stay on the ethical side of things (very ironically).
I'm just kinda joking (but wouldn't hate it if I was rugpulled and the person that did it got such treatment)
The same thing happened to ModHeader https://chromewebstore.google.com/detail/modheader-modify-ht... -- they started adding ads to every google search results page I loaded, linking to their own ad network. Took me weeks to figure out what was going on. I uninstalled it immediately and sent a report to Google, but the extension is still up and is still getting 1 star reviews.
Interesting that the author, Callum Locke, seems to be a real person with a real reputation to damage. Previously this would have been a trust signal to me, I figured real developers would be less likely to go rogue given the consequences.
The tempation is quite strong, especially for popular extensions
Here's what it can look like to an author of a popular extension:
Temptations of an open-source browser extension developer · extesy hoverzoom · Discussion #670
Over the years, I have received many proposals to monetize this extension so I think I'll just start posting them here for fun (but not for profit). The main reason I continue to maintain this exte...
Depends on the personal situation. An extension with 2 million users can generate a very meaningful revenue. My extension has only 300k users, but offers that I received over years [0] would have been significant in some lower-income country.
Temptations of an open-source browser extension developer · extesy hoverzoom · Discussion #670
Over the years, I have received many proposals to monetize this extension so I think I'll just start posting them here for fun (but not for profit). The main reason I continue to maintain this exte...
Guy talks about switching to the "Classic" version if
> you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.
Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.
Depends on how many JSON tokens you need to format. I recommend getting JSON ForMAX+ with 200k tokens and 100k sign in bonus.
I heard that JWTs are 5x the price of JSON tokens but only 3x if you have JSON ForULTRA+ (new) (for work or school).
The more you buy, the more you save!
Legally speaking that's for entertainment purposes only
Big-JSON is coming for us
Lol. I mean what the hell is this. I have this weird feeling this guy got tricked by an LLM into thinking this move is smart... "what you've built is not just a json formatter, it's the next big...".
I mean good luck to that guy. Everyond should habe a shot. I think i've been using that extension as well. But yeah, i never cared enough to know if it was this one. But i do hope there are others who did & he can surprise me and turn this user base into customers of a commercial product. If he pulls that of, i'd be truly impressed.
I noticed this a week ago. Ended up building my own that has all the features I love from using several over the years.
