【注意】Chrome拡張「JSON formatter」がアドウェア化？ソース公開終了でマルウェア混入の報告

人気のChrome拡張機能「JSON formatter」がクローズドソース化され、アドウェアが注入されているとの報告がありました。長らく愛用されていたツールですが、現在はセキュリティ上のリスクがあるようです。利用中の方は速やかにアンインストールし、代替のJSON整形ツールを探すことをおすすめします。

Noticed a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa in the chrome inspector today.

Turns out about a month ago, the popular open source JSON Formatter chrome extension went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.

I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.

At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.

The same thing happened to ModHeader https://chromewebstore.google.com/detail/modheader-modify-ht... (https://chromewebstore.google.com/detail/modheader-modify-http-hea/idgpnmonknjnojddfkpgkljpfnnfcklj) -- they started adding ads to every google search results page I loaded, linking to their own ad network. Took me weeks to figure out what was going on. I uninstalled it immediately and sent a report to Google, but the extension is still up and is still getting 1 star reviews.

Interesting that the author, Callum Locke, seems to be a real person with a real reputation to damage. Previously this would have been a trust signal to me, I figured real developers would be less likely to go rogue given the consequences.

The JSONView extension on Firefox was targeted a while ago. (2017?)

I only found out because Mozilla forced an uninstall with a warning and then I had to go down Bugzilla to find the impact (it leaked browser visit URLs).

Guy talks about switching to the "Classic" version if

you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.

Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.

I noticed this a week ago. Ended up building my own that has all the features I love from using several over the years.

https://github.com/wesbos/JSON-Alexander (https://github.com/wesbos/JSON-Alexander)

I think the main problem here is the ideology of software updating. Updates represent a tradeoff: On one hand there might be security vulnerabilities that need an update to fix, and developers don't want to receive bug reports or maintain server infrastructure for obsolete versions. On the other hand, the developer might make decisions users don't want, or turn even temporarily (as in a supply chain attack) or permanently (as in selling off control of a browser extension).

In the case of small browser extensions from individual developers, I think the tradeoff is such that you should basically never allow auto-updating. Unfortunately Google runs a Chrome extension marketplace that doesn't work that way, and worse, Google's other business gives them an ideology that doesn't let them recognize that turning into adware is a transgression that should lead to being kicked out of their store. I think that other than a small number of high-visibility long-established extensions, you should basically never install anything from there, and if you want a browser extension you should download its source code and install it locally as an unpacked extension.

(Firefox's extension marketplace is less bad, but tragically, Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself.)

Firefox has this ability by default and I find it very useful. And it will never get sold to some random person to be replaced with adware.

From the author on HN a couple years ago:

FWIW, and since a few of you probably use it… I own the JSON Formatter extension [0], which I created and open-sourced 12 years ago and have maintained [1] ever since, with 2 million users today. And I solemnly swear that I will never add any code that sends any data anywhere, nor let it fall into the hands of anyone else who would.
I’ve been emailed several tempting cash offers from shady people who presumably want to steal everyone’s data or worse. I sometimes wish I had never put my name on it so I could just take the money without harming my reputation, but I did, so I’m stuck with being honourable. On the plus side I will always be able to say that I never sold out.

https://news.ycombinator.com/item?id=37067908 (https://news.ycombinator.com/item?id=37067908)