Google has removed a pair of Chrome extensions from its web store after marketers bought the software from their creators and used them to inject adverts into users’ browsers.
The two extensions - “Add to Feedly” and “Tweet This Page” – had relatively small audiences, with fewer than 100,000 users each. Both were updated without informing users and began placing ads throughout the web, even landing some on Google’s famously spartan home page.
Amit Agarwal, the developer behind the Add to Feedly extension, revealed on his personal blog that he had sold his software to an unknown buyer, saying “It was a four-figure offer for something that had taken an hour to create and I agreed to the deal.”
Once the deal had been completed the new owner took advantage of Chrome’s automatic updating feature that allows the browser and its extension to be updated without the user’s knowledge.
Although it’s not known for certain if the “Tweet This Page” extension was also bought by marketers, it too was updated to serve users’ unwanted ads, even altering the results of Google searches so that links were redirected to the wrong page.
Technology journalist Ron Amadeo suggests that these are just two examples of a widespread practice. Independent developers build a useful bit of software in a short amount of time and are tempted by the thought of a quick sale. The buyers however have no interest in the software and only want to grab the extension’s audience, serve them ads and collect the ad revenue.
Following the news that these two apps had been subverted in this way, a developer behind a Chrome extension named “Honey” with nearly 300,000 users said that this was common on a post on Reddit:
“Over the past year we’ve been approached by malware companies that have tried to buy the extension, data collection companies that have tried to buy user data, and adware companies that have tried to partner with us. We turned them all down.”
It’s not unusual for extensions to deliver adverts to users, but developers are expected to be upfront and not stoop to tricking users into clicking on ads. When removing the offending software Google cited a recent update to its policy that the software must have “a single purpose” and be “narrow and easy-to-understand”.
It seems that there is no clear way of blocking this sort of practice, and both Google and users alike will have to be vigilant to altered software.