> FWIW, and since a few of you probably use it… I own the JSON Formatter extension [0], which I created and open-sourced 12 years ago and have maintained [1] ever since, with 2 million users today. And I solemnly swear that I will never add any code that sends any data anywhere, nor let it fall into the hands of anyone else who would.
I’ve been emailed several tempting cash offers from shady people who presumably want to steal everyone’s data or worse. I sometimes wish I had never put my name on it so I could just take the money without harming my reputation, but I did, so I’m stuck with being honourable. On the plus side I will always be able to say that I never sold out.
> I sometimes wish I had never put my name on it so I could just take the money without harming my reputation, but I did, so I’m stuck with being honourable.
This distills down to: "I don't want to be honourable." They signaled right from the beginning.
Well, all the big tech corps done the same. Nothing to see here. OSS needs proper funding infrastructure. Which all the big players shit on. So, I can't judge him on that. His work, his time.
> Give Freely is not spyware/adware or any kind of 'scam'. It's an optional donation appeal that asks you (if you happen to visit a retailer which happens to be a Give Freely partner) to click a button to donate unclaimed affiliate fees, with most of the money going to Code.org or another charity of your choice. I've met the Give Freely team and trust them. It does not collect any PII or browsing activity, and it doesn't overwrite other affiliate/voucher codes so it never costs you anything. If you find the donation popup too intrusive/annoying you can disable it forever in the extension options, or in the donation popup itself.
> Code.org is a good cause that's relevant to a lot of the same people who use this extension regularly, and clicking a Give Freely donate button is a genuinely free and anonymous way to show your support for both, if you want to. If you don't like it you can turn it off, or if it makes you more comfortable you can switch to JSON Formatter Classic, which has no Give Freely code and corresponds with the v0.8 branch in my archived json-formatter GitHub repo. Or try one of the many forks or alternatives available on the store.
I think the main problem here is the ideology of software updating. Updates represent a tradeoff: On one hand there might be security vulnerabilities that need an update to fix, and developers don't want to receive bug reports or maintain server infrastructure for obsolete versions. On the other hand, the developer might make decisions users don't want, or turn even temporarily (as in a supply chain attack) or permanently (as in selling off control of a browser extension).
In the case of small browser extensions from individual developers, I think the tradeoff is such that you should basically never allow auto-updating. Unfortunately Google runs a Chrome extension marketplace that doesn't work that way, and worse, Google's other business gives them an ideology that doesn't let them recognize that turning into adware is a transgression that should lead to being kicked out of their store. I think that other than a small number of high-visibility long-established extensions, you should basically never install anything from there, and if you want a browser extension you should download its source code and install it locally as an unpacked extension.
(Firefox's extension marketplace is less bad, but tragically, Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself.)
The thing that bothers me most about this story is that the binary on the Chrome Web Store and the public source on the repo have no enforced relationship at all. The store accepts a packaged extension and trusts the developer to say it matches the public code. I tried to reproduce the published build for a few extensions I actually depend on, and in most cases I could not, even when the maintainer was clearly acting in good faith. Firefox AMO at least asks for source and runs a diff against a clean build before they let it through, Chrome does not. If reproducible builds plus a signed attestation tying a store version to a commit are not the right answer here, what would actually catch the silent pivot from benign to malicious before users start getting injected ads?
Noticed a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa in the chrome inspector today.
Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.
I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.
At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.
Interesting that the author, Callum Locke, seems to be a real person with a real reputation to damage. Previously this would have been a trust signal to me, I figured real developers would be less likely to go rogue given the consequences.
The same thing happened to ModHeader https://chromewebstore.google.com/detail/modheader-modify-ht... -- they started adding ads to every google search results page I loaded, linking to their own ad network. Took me weeks to figure out what was going on. I uninstalled it immediately and sent a report to Google, but the extension is still up and is still getting 1 star reviews.
Google spent all that time pushing Manifest V3 but does little to prevent this, and in some cases even encourages it. [1]
> To provide a more tangible example, Chrome Web Store currently has Blaze VPN, Safum VPN and Snap VPN extensions carry the “Featured” badge. These extensions (along with Ishaan VPN which has barely any users) belong to the PDF Toolbox cluster which produced malicious extensions in the past. A cursory code inspection reveals that all four are identical and in fact clones of Nucleus VPN which was removed from Chrome Web Store in 2021. And they also don’t even work, no connections succeed. The extension not working is something users of Nucleus VPN complained about already, a fact that the extension compensated with fake reviews.
I actively try to get coworkers to audit, remove and work without browser extensions. Google and Firefox clearly do not care to spend even a modicum of effort to police their marketplaces. There's only a few I would trust and assume all others to be malware now or at some point in the future.
The JSONView extension on Firefox was targeted a while ago. (2017?)
I only found out because Mozilla forced an uninstall with a warning and then I had to go down Bugzilla to find the impact (it leaked browser visit URLs).
Guy talks about switching to the "Classic" version if
> you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.
Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.
I use FF, but it seems like something Claude should be able to whip up... There we go. Took two attempts, but I basically told it to make something like FF's JSON formatter, and it did.
I won't share it because I'm sure it leaves much to be desired (and you can recreate it in 2 minutes), but it makes me wonder how much room there is for rugpulls like this when people can just replace the tech with something that doesn't have adrot.
I feel like this is a trend. A few months ago, my phone was hacked because I was using a free QR code scanner app which I'd been using for like 5 years without issue.
It was an effective hack. I'd wasted 3+ hours jumping through hoops to get access to some basic service and was running into one hurdle after another... Then I got to a point that I wanted to scan a QR code from an old screenshot and so I opened my trusty QR code app to navigate to the website but when I opened the app; it wouldn't let me scan as usual; instead, there was a legit-looking update button on the page saying I needed to update the app; it was shown as part of the app interface itself (not some side ad). After 3 hours of running into a deep recursive rabbit hole with one hurdle after another, I was at my wit's end... I needed to read that QR code NOW! This was one hurdle too many which I didn't have the energy to even think about! I was too busy thinking about the other 4 layers of nested issues which I was trying to unwind myself out of! And so my muscle memory kicked in and hit the update button! Then BAM! Even before my system 2 thinking kicked in (to remind me that updates should be done through the app store), within a second or two, a message flashed on the screen and I knew my phone had been hacked. I noticed later that I received a whole bunch of extortion emails.
Thankfully, I never put anything sensitive on my phone. I treat it as a public space. I wasn't logged into any session on any app at the time. I immediately did a factory reset of my phone and changed all my passwords just in case. But damn, that was an effective hack! I trusted this app for 5 years and it betrayed me in a fraction of a second! This was surprising for me as I'd never been hacked before. It showed me how even someone who fully understands the tech can be hacked if caught at the right time in the right situation.
This should be hurting the reputation of Chrome Web Store more than it is hurting the reputation of Open Source browser extensions. It's impossible to keep tabs on all Open Source developers, so a highly trusted platform like Fedora or installing and updating things one by one is needed.
It's far from ideal, but I've been meaning to start using one personal meta-extension so I can have ctrl-d on Grok delete the next character, do my own custom readability overlays, and other stuff that comes to mind. It would have a clear association between sites and customizations, and possibly sandboxed code (e. g. WebAssembly).
It's quite remarkable that a chrome extension can just update overnight and start injecting adware (or worse) and not a single warning from chrome. I shouldn't have to read hackernews to find out.
The number of offer emails I have gotten for my Chrome extension is wild, and I've only got a little over 100 installs. I'm honestly surprised this is not more common.
Hey William, thanks for flagging this! We were experimenting with analytics to help us identify crashes and improve stability. We've rolled this back in v2.1.17, which is now live and being rolled out. Going forward, we'll ensure any analytics collection is clearly disclosed. Thanks again!
I guess you really need to unpack each and every extensions before installation and carefully inspect the code manually to see if it only would be doing what the extensions is advertising.
Darn…
and I thought that the JSLibCache extension was forcing every site into UTF-8 mode (even those that need to run with a legacy codepage) was a critical issue. A problem I encountered yesterday… took me a while to figure out too.
just went through all my github actions and pinned them to commit SHAs after reading this. same problem — if someone pushes to @main your CI blindly runs it.
auto-update anything is basically handing someone a key to your house and hoping they stay nice forever
WebExtension permissions are fucking broken if the set of permissions necessary to reformat and style JSON snippets is sufficient to inject network-capable Javascript code into any page.
If basically any worthwhile extension can be silently updated to inject
136 comments
> FWIW, and since a few of you probably use it… I own the JSON Formatter extension [0], which I created and open-sourced 12 years ago and have maintained [1] ever since, with 2 million users today. And I solemnly swear that I will never add any code that sends any data anywhere, nor let it fall into the hands of anyone else who would. I’ve been emailed several tempting cash offers from shady people who presumably want to steal everyone’s data or worse. I sometimes wish I had never put my name on it so I could just take the money without harming my reputation, but I did, so I’m stuck with being honourable. On the plus side I will always be able to say that I never sold out.
https://news.ycombinator.com/item?id=37067908
> I sometimes wish I had never put my name on it so I could just take the money without harming my reputation, but I did, so I’m stuck with being honourable.
This distills down to: "I don't want to be honourable." They signaled right from the beginning.
Well, all the big tech corps done the same. Nothing to see here. OSS needs proper funding infrastructure. Which all the big players shit on. So, I can't judge him on that. His work, his time.
https://chromewebstore.google.com/review-reply/b4a787df-64e5...
> Give Freely is not spyware/adware or any kind of 'scam'. It's an optional donation appeal that asks you (if you happen to visit a retailer which happens to be a Give Freely partner) to click a button to donate unclaimed affiliate fees, with most of the money going to Code.org or another charity of your choice. I've met the Give Freely team and trust them. It does not collect any PII or browsing activity, and it doesn't overwrite other affiliate/voucher codes so it never costs you anything. If you find the donation popup too intrusive/annoying you can disable it forever in the extension options, or in the donation popup itself.
> Code.org is a good cause that's relevant to a lot of the same people who use this extension regularly, and clicking a Give Freely donate button is a genuinely free and anonymous way to show your support for both, if you want to. If you don't like it you can turn it off, or if it makes you more comfortable you can switch to JSON Formatter Classic, which has no Give Freely code and corresponds with the v0.8 branch in my archived json-formatter GitHub repo. Or try one of the many forks or alternatives available on the store.
> JSON Formatter Classic: https://chromewebstore.google.com/detail/json-formatter-clas...
In the case of small browser extensions from individual developers, I think the tradeoff is such that you should basically never allow auto-updating. Unfortunately Google runs a Chrome extension marketplace that doesn't work that way, and worse, Google's other business gives them an ideology that doesn't let them recognize that turning into adware is a transgression that should lead to being kicked out of their store. I think that other than a small number of high-visibility long-established extensions, you should basically never install anything from there, and if you want a browser extension you should download its source code and install it locally as an unpacked extension.
(Firefox's extension marketplace is less bad, but tragically, Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself.)
Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.
I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.
At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.
> To provide a more tangible example, Chrome Web Store currently has Blaze VPN, Safum VPN and Snap VPN extensions carry the “Featured” badge. These extensions (along with Ishaan VPN which has barely any users) belong to the PDF Toolbox cluster which produced malicious extensions in the past. A cursory code inspection reveals that all four are identical and in fact clones of Nucleus VPN which was removed from Chrome Web Store in 2021. And they also don’t even work, no connections succeed. The extension not working is something users of Nucleus VPN complained about already, a fact that the extension compensated with fake reviews.
[1] https://palant.info/2025/01/13/chrome-web-store-is-a-mess/
https://github.com/wesbos/JSON-Alexander
https://github.com/callumlocke/json-formatter/commit/caa213d...
Someone on Twitter noticed it pretty quickly, considering:
https://twitter.com/devinsays/status/2012195612586914143?mx=...
Extensions which ask for all URLs should really be subjected to more thorough reviews.
I only found out because Mozilla forced an uninstall with a warning and then I had to go down Bugzilla to find the impact (it leaked browser visit URLs).
> you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.
Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.
I won't share it because I'm sure it leaves much to be desired (and you can recreate it in 2 minutes), but it makes me wonder how much room there is for rugpulls like this when people can just replace the tech with something that doesn't have adrot.
It was an effective hack. I'd wasted 3+ hours jumping through hoops to get access to some basic service and was running into one hurdle after another... Then I got to a point that I wanted to scan a QR code from an old screenshot and so I opened my trusty QR code app to navigate to the website but when I opened the app; it wouldn't let me scan as usual; instead, there was a legit-looking update button on the page saying I needed to update the app; it was shown as part of the app interface itself (not some side ad). After 3 hours of running into a deep recursive rabbit hole with one hurdle after another, I was at my wit's end... I needed to read that QR code NOW! This was one hurdle too many which I didn't have the energy to even think about! I was too busy thinking about the other 4 layers of nested issues which I was trying to unwind myself out of! And so my muscle memory kicked in and hit the update button! Then BAM! Even before my system 2 thinking kicked in (to remind me that updates should be done through the app store), within a second or two, a message flashed on the screen and I knew my phone had been hacked. I noticed later that I received a whole bunch of extortion emails.
Thankfully, I never put anything sensitive on my phone. I treat it as a public space. I wasn't logged into any session on any app at the time. I immediately did a factory reset of my phone and changed all my passwords just in case. But damn, that was an effective hack! I trusted this app for 5 years and it betrayed me in a fraction of a second! This was surprising for me as I'd never been hacked before. It showed me how even someone who fully understands the tech can be hacked if caught at the right time in the right situation.
Quarantined - PUP.Optional.Hijacker. C:\USERS*\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BCJINDCCCAAGFPAPJJMAFAPMMGKKHGOA
wondered what the extension was... JSON Formatter
It's far from ideal, but I've been meaning to start using one personal meta-extension so I can have ctrl-d on Grok delete the next character, do my own custom readability overlays, and other stuff that comes to mind. It would have a clear association between sites and customizations, and possibly sandboxed code (e. g. WebAssembly).
Now I know what would have happened if I had accepted.
Hey William, thanks for flagging this! We were experimenting with analytics to help us identify crashes and improve stability. We've rolled this back in v2.1.17, which is now live and being rolled out. Going forward, we'll ensure any analytics collection is clearly disclosed. Thanks again!
https://chromewebstore.google.com/detail/json-formatter/gpmo...
The chrome team does not seem to see security as a high enough priority.
Darn…
and I thought that the JSLibCache extension was forcing every site into UTF-8 mode (even those that need to run with a legacy codepage) was a critical issue. A problem I encountered yesterday… took me a while to figure out too.
If basically any worthwhile extension can be silently updated to inject