Beware: HoverZoom extension for Chrome turns evil

Martin Brinkmann
Mar 5, 2013
Updated • Feb 16, 2014
Google Chrome, Google Chrome extensions
|
15

It should not happen that extensions get modified in key aspects without existing users being made aware of those changes.

We have already seen how companies take advantage of Mozilla's add-on repository by approaching add-on developers to purchase their extensions or have them modify it to gather data or implement money making schemes into the extensions.

Today it became known that the author of the popular HoverZoom extension for the Google Chrome browser also implemented "features" into the extension that many users will certainly consider unethical if only they knew about them.

A user of the extension noticed that it was acting up when connections to Github were made and after additional users reported the same issue, one user wanted to know why Hoverzoom needed to POST to a Czech media company server (http://advisormedia.cz/).

The author's reply confirmed that he agreed to enter a partnership with the company. According to his post, the script is detecting unused domain names and posts those information to the media company's site.

This script was added after a partnership has been established with a media consulting company. It detects unused domain names and posts the results to their site. The collected data is strictly anonymous.

HoverZoom is a popular extension for the Chrome browser. The Chrome Web Store lists more than 761,000 users and reviews of it have been outright positive until now. The most recent reviews on the other hand highlight the issue and rated the extension with one star.

What needs to be mentioned in this regard is that the new version, the one with the domain checking, was accepted into the Web Store which should be a concern for all users of the store. Is it the only extension for Chrome that does that, or did the Czech company contact other extension developers as well to get them to add a similar script to their extensions?

A free fork of the extension has been created by a Reddit user. Hover Free is basically the same extension, but without the domain checking part or other features the original author may have implemented into it lately.

Update: Hover Free is no longer available. It is not clear why that is the case.

We can learn a couple of things from this though. First, companies not only exploit the Mozilla Store but also the Chrome Web Store by making monetary offers to extension developers, and second, the scripts that get integrated into these extensions do not seem to be detected by reviews. This is not very reassuring though as there is not really anything that regular users can do to detect this in their extensions.

Update: The author of the original HoverZoom extension has implemented a switch in the settings which blocks anonymous usage statistics from being sent. There is no direct alternative for Chrome, but you can use the userscript Mouseover Popup Image Viewer instead which offers a similar feature set.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. gorankx said on February 14, 2014 at 5:06 pm
    Reply

    There is a Imagus, which is also recommended by Hower free

  2. author said on October 18, 2013 at 3:49 pm
    Reply

    Hover Free is not available.

    1. Martin Brinkmann said on October 18, 2013 at 6:15 pm
      Reply

      Thanks for letting me know about that. I have updated the article.

  3. blue_bsod said on April 5, 2013 at 2:45 pm
    Reply

    Photo Zoom for Facebook is better and lists over 4M users. Has extensions for Chrome, Firefox, and Safari, and has no ads, no tracking, no silly 3rd party scripts of off site extensions.

    http://www.regisgaughan.com/fbphotozoom/

  4. batman said on March 9, 2013 at 9:23 am
    Reply

    I love how developers like this, build on a FREE browser, but somehow feel that they should make money.

  5. Jojo said on March 5, 2013 at 3:13 pm
    Reply

    There is a nice Android monitor app I run that shows you all the changes made to an app when it is updated.

    Of course, if the developer doesn’t publish the changes, then the app won’t show anything.
    ==========
    Description

    Are you tired of going through every updated application on the Play Store to see what the developer has changed? Changelog Droid solves this problem by fetching all the information directly from the Play Store after or before you update them.

    https://play.google.com/store/apps/details?id=com.cypressworks.changelogviewer&feature=nav_result#

    1. Martin Brinkmann said on March 5, 2013 at 3:15 pm
      Reply

      I reviewed this or a similar application some time ago, can’t remember right now which it was. It would probably not have helped in this case though.

  6. trekker said on March 5, 2013 at 2:00 pm
    Reply

    ***Thank you*** for this useful alert, Martin!

    Pls, keep posting
    about suspicious FF addons, too
    …as you’ve done in the past.

    I wish,
    a user-friendly detection mechanism or guidelines
    existed to detect “rogue” addon behavior,
    (An easy way for those of us who are not techie users).

    Meanwhile, I rely on Ghacks.

  7. blue_bsod said on March 5, 2013 at 11:05 am
    Reply

    @happycommenter: When it comes to free Add-on’s Firefox and Chrome come to mind first. MSIE had very few Add-ons, and most were either junk, trials, or required payment to use. Even with the current MSIE 10, there is only less than two handfuls of available free Add-on’s. Whereas the market goes towards Firefox who was released with Add-on’s, and then later Chrome. Of course MSIE doesn’t have this problem because they have less than 0.0001% of the market when it comes to Add-on’s. Advertisers would be stupid to go after Add-on’s for a browser with only 0.0001% of the market. It doesn’t make MSIE better because of that. What MSIE lacks in every department, Firefox and Chrome can make-up and exceed your expectations using Add-ons. MSIE is full of holes, can be exploited, has poor security, slow, resource hog, crippled and more…

  8. Raton said on March 5, 2013 at 9:45 am
    Reply
    1. Martin Brinkmann said on March 5, 2013 at 10:05 am
      Reply

      Thanks, have updated the article.

  9. happycommenter said on March 5, 2013 at 8:06 am
    Reply

    Interesting they don’t have this problem with Internet Explorer.

  10. funix said on March 5, 2013 at 4:37 am
    Reply

    Thanks for the information and bringing up the fork for exchange. Without that alternative may have said “meh, whatever”.

  11. trabbel said on March 5, 2013 at 4:17 am
    Reply

    hey martin, many thanks for letting us know! :)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.