Over the weekend, it was reported that an odd, new trend is popping up among extensions for Google's Chrome browser: ads. According to Ars Technica, advertising companies are buying popular Chrome extensions that already have a built-in userbase, and then changing the extension to insert ads into websites.
Here's how it works:
Ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome's update service, which sends the adware out to every user of that extension.
One developer says that he was offered a four-figure sum for an extension that took about an hour of coding and had about 30,000 users. Another extension developer claimed on Reddit that a data collection company offered six figures a month for user information.
While none of this is illegal—developers can sell their product to whoever they want—there has been a backlash and worry that malware companies will continue buying backdoors into users' browsers. In response to the ad injections, customers began rating the extensions negatively, and Google has begun blocking extensions that violate its terms of service. The company updated its policy in December to prohibit software that is difficult to understand or obfuscates some of its functionality.